Windows Analysis Report
KuponcuBaba.exe

Overview

General Information

Sample Name: KuponcuBaba.exe
Analysis ID: 778230
MD5: d6c3bf64cc7cb131d467246ce5a4c455
SHA1: 2ea0b0bda586aeaef818445f48eae6edca8b9901
SHA256: d91890315262e8a77c565b54baa5f82cbd32451bbe4293bcd8b1918a3d2e0aa1
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Hides threads from debuggers
Contains functionality to infect the boot sector
Modifies the context of a thread in another process (thread injection)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A380F0 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,CryptReleaseContext, 7_2_70A380F0
Source: KuponcuBaba.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\A\35\b\bin\amd64\python3.pdb source: KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.556432245.0000027F02150000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_ssl.pdb source: KuponcuBaba.exe, 00000007.00000002.573058618.00007FFA0ACAD000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: signToolcAToolsignToolCertcAToolCertISSUER_SIGN_TOOLv2i_issuer_sign_toolcrypto\x509\v3_ist.ci2r_issuer_sign_tool%*ssignTool : %*scATool : %*ssignToolCert: %*scAToolCert : compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: PKCS8_encrypt_excrypto\pkcs12\p12_p8e.cPKCS8_set0_pbe_excrypto\bio\bio_sock.cBIO_sock_initcalling wsastartup()BIO_socket_ioctlcalling ioctlsocket()i2d_ASN1_bio_streamcrypto\asn1\asn_mime.cB64_write_ASN1-----BEGIN %s----- source: _openssl.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.569699537.00007FFA069F8000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_ctypes.pdb source: KuponcuBaba.exe, 00000007.00000002.569805697.00007FFA06A20000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\win32clipboard.pdb source: KuponcuBaba.exe, 00000001.00000003.295672850.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573522589.00007FFA18E34000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: _openssl.pyd.1.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: KuponcuBaba.exe, 00000007.00000002.569113530.00007FFA068EE000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572836068.00007FFA0AC87000.00000002.00000001.01000000.00000014.sdmp, _lzma.pyd.1.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb?? source: KuponcuBaba.exe, 00000007.00000002.567632450.00007FFA06665000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_queue.pdb source: KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573757806.00007FFA18EA3000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.1.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb source: KuponcuBaba.exe, 00000007.00000002.567632450.00007FFA06665000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.1.dr
Source: Binary string: challengeNETSCAPE_SPKACspkacsig_algorcrypto\bn\bn_exp.cBN_mod_exp_recpBN_mod_exp_mont_wordX509V3_EXT_nconf_intcrypto\x509\v3_conf.csection=%s, name=%s, value=%sdo_ext_nconfname=%s,section=%sdo_ext_i2dX509V3_EXT_i2dcritical,DER:ASN1:v3_generic_extensionvalue=%sX509V3_get_sectioncrypto\x509\v3_lib.cX509V3_add1_i2dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.0.5built on: Tue Jul 5 11:53:43 2022 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot available source: _openssl.pyd.1.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: KuponcuBaba.exe, 00000007.00000002.569113530.00007FFA068EE000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\pywintypes.pdb** source: KuponcuBaba.exe, 00000007.00000002.572638453.00007FFA0AC51000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: KuponcuBaba.exe, 00000001.00000003.287563558.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572480939.00007FFA094C1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.567289329.00007FFA065DB000.00000002.00000001.01000000.00000012.sdmp, unicodedata.pyd.1.dr
Source: Binary string: C:\A\39\b\libcrypto-1_1.pdb source: KuponcuBaba.exe, 00000007.00000002.569402590.00007FFA06970000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_uuid.pdb source: KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573650405.00007FFA18E92000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572836068.00007FFA0AC87000.00000002.00000001.01000000.00000014.sdmp, _lzma.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\pywintypes.pdb source: KuponcuBaba.exe, 00000007.00000002.572638453.00007FFA0AC51000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.574016045.00007FFA1B4D6000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\python310.pdb source: KuponcuBaba.exe, 00000007.00000002.571582077.00007FFA06D5E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\select.pdb source: KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573851934.00007FFA18ED3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573363921.00007FFA13D0D000.00000002.00000001.01000000.00000013.sdmp
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8456940 FindFirstFileExW,FindClose, 1_2_00007FF6F8456940
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8470D64 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF6F8470D64
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84665F8 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6F84665F8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84665F8 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6F84665F8
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 4x nop then push rbp 7_2_70A2BD40
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 4x nop then push rbp 7_2_70A2BD40
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: KuponcuBaba.exe, 00000007.00000002.562123971.0000027F04A30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:%s/status
Source: KuponcuBaba.exe, 00000007.00000002.564631005.0000027F05078000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:4444
Source: KuponcuBaba.exe, 00000007.00000002.558650240.0000027F029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:4444/wd/hub
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.0.0.1:4444/wd/hub
Source: KuponcuBaba.exe, 00000007.00000002.564546201.0000027F05060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://bitbucket.org/techtonik/python-pager
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://bitbucket.org/techtonik/python-wget/
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libffi-7.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, libssl-1_1.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290365312.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KuponcuBaba.exe, 00000007.00000002.564631005.0000027F05078000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.562123971.0000027F04A30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://chromedriver.storage.googleapis.com/index.html
Source: KuponcuBaba.exe, 00000007.00000002.563507590.0000027F04CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: KuponcuBaba.exe, 00000007.00000002.560131047.0000027F04506000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlll
Source: KuponcuBaba.exe, 00000007.00000002.563507590.0000027F04CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.562815618.0000027F04B94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl_
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crlr
Source: KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAss
Source: KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssj
Source: KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libffi-7.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290365312.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290365312.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libffi-7.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl0
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, libssl-1_1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digiz
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290365312.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libffi-7.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, libssl-1_1.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: KuponcuBaba.exe, 00000007.00000002.562123971.0000027F04A30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail
Source: KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: KuponcuBaba.exe, 00000007.00000002.562123971.0000027F04A30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://greenbytes.de/tech/tc2231/
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.334518018.0000027F045CD000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://httpbin.org/
Source: KuponcuBaba.exe, 00000007.00000002.558650240.0000027F029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.esPE
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290365312.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libffi-7.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr, libssl-1_1.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pypi.python.org/pypi/wget/
Source: KuponcuBaba.exe, 00000007.00000002.562926496.0000027F04BD2000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/(lK
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/Zl
Source: KuponcuBaba.exe, 00000007.00000002.565894975.0000027F051F4000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560571375.0000027F04630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://sunucu.troyagame.com/
Source: KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.558650240.0000027F029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sunucu.troyagame.com/z
Source: KuponcuBaba.exe, 00000007.00000002.561699929.0000027F04930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: KuponcuBaba.exe, 00000001.00000003.298015876.000001A41CE2E000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.298020453.000001A41CE30000.00000004.00000020.00020000.00000000.sdmp, mutation-listener.js.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: KuponcuBaba.exe, 00000007.00000002.559160943.0000027F02A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, pyexpat.pyd.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.563507590.0000027F04CC1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.563280811.0000027F04C6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: KuponcuBaba.exe, 00000007.00000003.334060970.0000027F044A6000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560131047.0000027F04506000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.333732076.0000027F04506000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.333894641.0000027F04507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://yahoo.com/
Source: _cffi_backend.cp310-win_amd64.pyd.1.dr String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromedevtools.github.io/devtools-protocol/
Source: KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromedriver.chromium.org/home
Source: KuponcuBaba.exe, 00000007.00000002.565551982.0000027F051B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromedriver.storage.googleapis.com/
Source: KuponcuBaba.exe, 00000007.00000002.565293099.0000027F0515C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromedriver.storage.googleapis.com/LATEST_RELEASE
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromedriver.storage.googleapis.com/LATEST_RELEASEz
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromedriver.storage.googleapis.com/z
Source: KuponcuBaba.exe, 00000007.00000002.561699929.0000027F04930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://codecov.io/github/pyca/cryptography/coverage.svg?branch=main
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://codecov.io/github/pyca/cryptography?branch=main
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://cryptography.io
Source: METADATA.1.dr String found in binary or memory: https://cryptography.io/
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://cryptography.io/en/latest/security/
Source: KuponcuBaba.exe, 00000007.00000002.565293099.0000027F0515C000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://developer.apple.com/safari/download/.
Source: KuponcuBaba.exe, 00000007.00000002.561699929.0000027F04930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.562815618.0000027F04B94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/SeleniumHQ/selenium/wiki/DesiredCapabilities
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriver
Source: KuponcuBaba.exe, 00000007.00000002.563722039.0000027F04F30000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.561089027.0000027F04830000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564546201.0000027F05060000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.562707463.0000027F04B59000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.562815618.0000027F04B94000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/SeleniumHQ/selenium/wiki/JsonWireProtocol
Source: KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/SeleniumHQ/selenium/wiki/JsonWireProtocol)
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300075577.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300234894.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.299922007.0000027F022F9000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.299928153.0000027F022A7000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300170147.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.556629333.0000027F0225D000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300206686.0000027F022A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: KuponcuBaba.exe, 00000001.00000003.295690492.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295672850.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294934339.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572718758.00007FFA0AC62000.00000002.00000001.01000000.00000017.sdmp, KuponcuBaba.exe, 00000007.00000002.573581346.00007FFA18E38000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://github.com/mhammond/pywin32
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://github.com/pyca/cryptography
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://github.com/pyca/cryptography/
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: METADATA.1.dr String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: KuponcuBaba.exe, 00000007.00000003.299968567.0000027F022F8000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.557606845.0000027F026E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: KuponcuBaba.exe, 00000007.00000003.300206686.0000027F022A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300075577.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300234894.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.299922007.0000027F022F9000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.299928153.0000027F022A7000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300170147.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.556629333.0000027F0225D000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300206686.0000027F022A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300075577.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300234894.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.299922007.0000027F022F9000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.299928153.0000027F022A7000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300170147.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.556629333.0000027F0225D000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300206686.0000027F022A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: KuponcuBaba.exe, 00000007.00000002.561089027.0000027F04830000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/497
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.334518018.0000027F045CD000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: KuponcuBaba.exe, 00000007.00000002.564493371.0000027F05050000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: KuponcuBaba.exe, 00000007.00000003.333554896.0000027F02A48000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.559160943.0000027F02A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://pypi.org/project/cryptography/
Source: KuponcuBaba.exe, 00000007.00000002.571582077.00007FFA06D5E000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: KuponcuBaba.exe, 00000001.00000003.297191026.000001A41CE2D000.00000004.00000020.00020000.00000000.sdmp, METADATA.1.dr String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: KuponcuBaba.exe, 00000007.00000002.563722039.0000027F04F30000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.333554896.0000027F02A48000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.559160943.0000027F02A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: KuponcuBaba.exe, 00000007.00000002.565894975.0000027F051F4000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564546201.0000027F05060000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sunucu.troyagame.com/
Source: KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.334518018.0000027F045CD000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560325416.0000027F045BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: KuponcuBaba.exe, 00000007.00000002.560571375.0000027F04630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy
Source: KuponcuBaba.exe, 00000007.00000002.560571375.0000027F04630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Source: KuponcuBaba.exe, 00000007.00000002.558650240.0000027F029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
Source: KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webauthn/#credential-parameters
Source: KuponcuBaba.exe, 00000007.00000002.562123971.0000027F04A30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webdriver/#dfn-browser-version
Source: KuponcuBaba.exe, 00000007.00000002.564385194.0000027F05030000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webdriver/#dfn-insecure-tls-certificates
Source: KuponcuBaba.exe, 00000007.00000002.564546201.0000027F05060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webdriver/#dfn-platform-name
Source: KuponcuBaba.exe, 00000007.00000002.562123971.0000027F04A30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webdriver/#dfn-strict-file-interactability
Source: KuponcuBaba.exe, 00000007.00000002.563722039.0000027F04F30000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564385194.0000027F05030000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webdriver/#dfn-table-of-page-load-strategies
Source: KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/webdriver/#timeouts
Source: KuponcuBaba.exe, 00000001.00000003.296719687.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, LICENSE.APACHE.1.dr String found in binary or memory: https://www.apache.org/licenses/
Source: KuponcuBaba.exe, 00000001.00000003.296891487.000001A41CE39000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.296719687.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.296737570.000001A41CE38000.00000004.00000020.00020000.00000000.sdmp, LICENSE.APACHE.1.dr String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: KuponcuBaba.exe, 00000007.00000002.563176497.0000027F04C39000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.559160943.0000027F02A67000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.563300269.0000027F04C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.294179028.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292065746.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295102823.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.289912898.000001A41CE33000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292096227.000001A41CE34000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000001.00000003.292760666.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.567784866.00007FFA0669A000.00000002.00000001.01000000.0000000F.sdmp, KuponcuBaba.exe, 00000007.00000002.569650058.00007FFA069E7000.00000002.00000001.01000000.0000000E.sdmp, libssl-1_1.dll.1.dr String found in binary or memory: https://www.openssl.org/H
Source: KuponcuBaba.exe, 00000007.00000003.333554896.0000027F02A48000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.559160943.0000027F02A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: KuponcuBaba.exe, 00000007.00000002.560416129.0000027F045F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: KuponcuBaba.exe, 00000001.00000003.295819833.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.560571375.0000027F04630000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: KuponcuBaba.exe, 00000007.00000002.557187866.0000027F02660000.00000004.00001000.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000003.300707340.0000027F029DA000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.dr String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: KuponcuBaba.exe, 00000007.00000002.557006907.0000027F022D1000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.564750127.0000027F050A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.selenium.dev/downloads/
Source: KuponcuBaba.exe, 00000007.00000002.560571375.0000027F04630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.yemeksepeti.com/
Source: KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.558650240.0000027F029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yemeksepeti.com/rj
Source: KuponcuBaba.exe, 00000007.00000002.563507590.0000027F04CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: KuponcuBaba.exe, 00000007.00000002.563507590.0000027F04CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: KuponcuBaba.exe, 00000007.00000002.563507590.0000027F04CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/s
Source: unknown DNS traffic detected: queries for: sunucu.troyagame.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: sunucu.troyagame.comUser-Agent: python-requests/2.28.1Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive
Detected potential crypto function
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846B3DC 1_2_00007FF6F846B3DC
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846FDC8 1_2_00007FF6F846FDC8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8474DC8 1_2_00007FF6F8474DC8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84558A0 1_2_00007FF6F84558A0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846115C 1_2_00007FF6F846115C
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84731CC 1_2_00007FF6F84731CC
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84601C0 1_2_00007FF6F84601C0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8478B08 1_2_00007FF6F8478B08
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84603AC 1_2_00007FF6F84603AC
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846DC08 1_2_00007FF6F846DC08
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845FC04 1_2_00007FF6F845FC04
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8462418 1_2_00007FF6F8462418
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846744C 1_2_00007FF6F846744C
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8466444 1_2_00007FF6F8466444
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84614E8 1_2_00007FF6F84614E8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846D588 1_2_00007FF6F846D588
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8460594 1_2_00007FF6F8460594
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8472D40 1_2_00007FF6F8472D40
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8470D64 1_2_00007FF6F8470D64
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8464D60 1_2_00007FF6F8464D60
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84665F8 1_2_00007FF6F84665F8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845FDEC 1_2_00007FF6F845FDEC
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84665F8 1_2_00007FF6F84665F8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8459030 1_2_00007FF6F8459030
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84757C0 1_2_00007FF6F84757C0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845FFD8 1_2_00007FF6F845FFD8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8461FE4 1_2_00007FF6F8461FE4
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84627E4 1_2_00007FF6F84627E4
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8469050 1_2_00007FF6F8469050
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8475044 1_2_00007FF6F8475044
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846FDC8 1_2_00007FF6F846FDC8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F846D0D8 1_2_00007FF6F846D0D8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A0E6F0 7_2_70A0E6F0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A0A7B0 7_2_70A0A7B0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6FFB0 7_2_70A6FFB0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A36F00 7_2_70A36F00
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3A0A0 7_2_70A3A0A0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3D800 7_2_70A3D800
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3E860 7_2_70A3E860
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A77190 7_2_70A77190
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A27110 7_2_70A27110
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3B110 7_2_70A3B110
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A7D910 7_2_70A7D910
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A23940 7_2_70A23940
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A5E140 7_2_70A5E140
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A43950 7_2_70A43950
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6E150 7_2_70A6E150
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A35AF0 7_2_70A35AF0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A0F220 7_2_70A0F220
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A38270 7_2_70A38270
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A36250 7_2_70A36250
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A013E0 7_2_70A013E0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6C330 7_2_70A6C330
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3D310 7_2_70A3D310
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A22360 7_2_70A22360
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A57370 7_2_70A57370
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6BB70 7_2_70A6BB70
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3EC80 7_2_70A3EC80
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A34C20 7_2_70A34C20
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6CC15 7_2_70A6CC15
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A24DA0 7_2_70A24DA0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A265B0 7_2_70A265B0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A965E0 7_2_70A965E0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A7DDF0 7_2_70A7DDF0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A38DC0 7_2_70A38DC0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6EDC0 7_2_70A6EDC0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A7E510 7_2_70A7E510
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A31570 7_2_70A31570
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A22540 7_2_70A22540
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A2BD40 7_2_70A2BD40
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A41D40 7_2_70A41D40
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3B550 7_2_70A3B550
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A436D0 7_2_70A436D0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A07E20 7_2_70A07E20
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A31E30 7_2_70A31E30
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A6D630 7_2_70A6D630
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A29E70 7_2_70A29E70
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A18E40 7_2_70A18E40
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A56FE2 7_2_70A56FE2
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A0F7C0 7_2_70A0F7C0
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A3CF20 7_2_70A3CF20
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A40700 7_2_70A40700
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A26F70 7_2_70A26F70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: String function: 70A04230 appears 238 times
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: String function: 70A2D400 appears 325 times
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: String function: 70A96CA0 appears 192 times
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: String function: 70A96730 appears 31 times
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: String function: 00007FF6F8451C50 appears 53 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A22B90: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, 7_2_70A22B90
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: python3.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: KuponcuBaba.exe, 00000001.00000003.288223929.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.287563558.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepython3.dll. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.295690492.000001A41CE37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewin32clipboard.pyd0 vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.290181500.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_uuid.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.295259301.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.295672850.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewin32clipboard.pyd0 vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.294934339.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepywintypes310.dll0 vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.293363796.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepyexpat.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.293079165.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000001.00000003.288477963.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe Binary or memory string: OriginalFilename vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.569840953.00007FFA06A2B000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.567325250.00007FFA065E1000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.569735716.00007FFA06A02000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.572937829.00007FFA0AC94000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.556432245.0000027F02150000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamepython3.dll. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.573697532.00007FFA18E94000.00000002.00000001.01000000.00000015.sdmp Binary or memory string: OriginalFilename_uuid.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.567784866.00007FFA0669A000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: OriginalFilenamelibsslH vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.572718758.00007FFA0AC62000.00000002.00000001.01000000.00000017.sdmp Binary or memory string: OriginalFilenamepywintypes310.dll0 vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.573790107.00007FFA18EA6000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.573412480.00007FFA13D12000.00000002.00000001.01000000.00000013.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.569650058.00007FFA069E7000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: OriginalFilenamelibcryptoH vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.572377153.00007FFA06E77000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamepython310.dll. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.574057697.00007FFA1B4DD000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.573581346.00007FFA18E38000.00000002.00000001.01000000.00000016.sdmp Binary or memory string: OriginalFilenamewin32clipboard.pyd0 vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.572521270.00007FFA094C7000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.573247619.00007FFA0ACC5000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs KuponcuBaba.exe
Source: KuponcuBaba.exe, 00000007.00000002.573874254.00007FFA18ED6000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs KuponcuBaba.exe
PE file contains more sections than normal
Source: _pytransform.dll.1.dr Static PE information: Number of sections : 11 > 10
Source: C:\Users\user\Desktop\KuponcuBaba.exe File read: C:\Users\user\Desktop\KuponcuBaba.exe Jump to behavior
Source: KuponcuBaba.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KuponcuBaba.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\KuponcuBaba.exe C:\Users\user\Desktop\KuponcuBaba.exe
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Users\user\Desktop\KuponcuBaba.exe C:\Users\user\Desktop\KuponcuBaba.exe
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @echo off
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Users\user\Desktop\KuponcuBaba.exe C:\Users\user\Desktop\KuponcuBaba.exe Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @echo off Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202 Jump to behavior
Source: classification engine Classification label: mal52.evad.winEXE@10/40@2/1
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84565D0 GetLastError,FormatMessageW,WideCharToMultiByte, 1_2_00007FF6F84565D0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
Source: C:\Users\user\Desktop\KuponcuBaba.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: KuponcuBaba.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: KuponcuBaba.exe Static file information: File size 9945512 > 1048576
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KuponcuBaba.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: KuponcuBaba.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\A\35\b\bin\amd64\python3.pdb source: KuponcuBaba.exe, 00000001.00000003.293779056.000001A41CE29000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.556432245.0000027F02150000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_ssl.pdb source: KuponcuBaba.exe, 00000007.00000002.573058618.00007FFA0ACAD000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: signToolcAToolsignToolCertcAToolCertISSUER_SIGN_TOOLv2i_issuer_sign_toolcrypto\x509\v3_ist.ci2r_issuer_sign_tool%*ssignTool : %*scATool : %*ssignToolCert: %*scAToolCert : compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: PKCS8_encrypt_excrypto\pkcs12\p12_p8e.cPKCS8_set0_pbe_excrypto\bio\bio_sock.cBIO_sock_initcalling wsastartup()BIO_socket_ioctlcalling ioctlsocket()i2d_ASN1_bio_streamcrypto\asn1\asn_mime.cB64_write_ASN1-----BEGIN %s----- source: _openssl.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: KuponcuBaba.exe, 00000001.00000003.290031400.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.569699537.00007FFA069F8000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_ctypes.pdb source: KuponcuBaba.exe, 00000007.00000002.569805697.00007FFA06A20000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\win32clipboard.pdb source: KuponcuBaba.exe, 00000001.00000003.295672850.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573522589.00007FFA18E34000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: _openssl.pyd.1.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: KuponcuBaba.exe, 00000007.00000002.569113530.00007FFA068EE000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572836068.00007FFA0AC87000.00000002.00000001.01000000.00000014.sdmp, _lzma.pyd.1.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb?? source: KuponcuBaba.exe, 00000007.00000002.567632450.00007FFA06665000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_queue.pdb source: KuponcuBaba.exe, 00000001.00000003.289893788.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573757806.00007FFA18EA3000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.1.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb source: KuponcuBaba.exe, 00000007.00000002.567632450.00007FFA06665000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.1.dr
Source: Binary string: challengeNETSCAPE_SPKACspkacsig_algorcrypto\bn\bn_exp.cBN_mod_exp_recpBN_mod_exp_mont_wordX509V3_EXT_nconf_intcrypto\x509\v3_conf.csection=%s, name=%s, value=%sdo_ext_nconfname=%s,section=%sdo_ext_i2dX509V3_EXT_i2dcritical,DER:ASN1:v3_generic_extensionvalue=%sX509V3_get_sectioncrypto\x509\v3_lib.cX509V3_add1_i2dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.0.5built on: Tue Jul 5 11:53:43 2022 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot available source: _openssl.pyd.1.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: KuponcuBaba.exe, 00000007.00000002.569113530.00007FFA068EE000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\pywintypes.pdb** source: KuponcuBaba.exe, 00000007.00000002.572638453.00007FFA0AC51000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: KuponcuBaba.exe, 00000001.00000003.287563558.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572480939.00007FFA094C1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: KuponcuBaba.exe, 00000001.00000003.295270844.000001A41CE31000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.567289329.00007FFA065DB000.00000002.00000001.01000000.00000012.sdmp, unicodedata.pyd.1.dr
Source: Binary string: C:\A\39\b\libcrypto-1_1.pdb source: KuponcuBaba.exe, 00000007.00000002.569402590.00007FFA06970000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_uuid.pdb source: KuponcuBaba.exe, 00000001.00000003.290354827.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573650405.00007FFA18E92000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: KuponcuBaba.exe, 00000001.00000003.289049492.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.572836068.00007FFA0AC87000.00000002.00000001.01000000.00000014.sdmp, _lzma.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\pywintypes.pdb source: KuponcuBaba.exe, 00000007.00000002.572638453.00007FFA0AC51000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: KuponcuBaba.exe, 00000001.00000003.288861139.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.574016045.00007FFA1B4D6000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\python310.pdb source: KuponcuBaba.exe, 00000007.00000002.571582077.00007FFA06D5E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\select.pdb source: KuponcuBaba.exe, 00000001.00000003.295085740.000001A41CE2A000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573851934.00007FFA18ED3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\A\35\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: KuponcuBaba.exe, 00000001.00000003.287690612.000001A41CE26000.00000004.00000020.00020000.00000000.sdmp, KuponcuBaba.exe, 00000007.00000002.573363921.00007FFA13D0D000.00000002.00000001.01000000.00000013.sdmp
Source: KuponcuBaba.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KuponcuBaba.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KuponcuBaba.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KuponcuBaba.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KuponcuBaba.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70B2B4B4 push rax; retf FA26h 7_2_70B2B4CE
PE file contains sections with non-standard names
Source: KuponcuBaba.exe Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.1.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.1.dr Static PE information: section name: .00cfg
Source: python310.dll.1.dr Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.1.dr Static PE information: section name: _RDATA
Source: _pytransform.dll.1.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A70C90 LoadLibraryA,GetProcAddress,GetCurrentThread,RtlWow64SetThreadContext, 7_2_70A70C90
PE file contains an invalid checksum
Source: _rust.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x18f993
Source: win32clipboard.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0xe7ea
Source: _cffi_backend.cp310-win_amd64.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x38dc3
Source: pywintypes310.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x2c5f0
Source: _pytransform.dll.1.dr Static PE information: real checksum: 0x125b11 should be: 0x120054
Source: _openssl.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x3d5506

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d 7_2_70A22B90
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d 7_2_70A227E0
Drops PE files
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\pywintypes310.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_cffi_backend.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\win32clipboard.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography\hazmat\bindings\_openssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_uuid.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_pytransform.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe File created: C:\Users\user\AppData\Local\Temp\_MEI28202\libssl-1_1.dll Jump to dropped file

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d 7_2_70A22B90
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d 7_2_70A227E0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8454710 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00007FF6F8454710
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\KuponcuBaba.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography\hazmat\bindings\_openssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28202\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28202\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28202\_cffi_backend.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\KuponcuBaba.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28202\_decimal.pyd Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\KuponcuBaba.exe API coverage: 4.1 %
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A97031 GetSystemInfo, 7_2_70A97031
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8456940 FindFirstFileExW,FindClose, 1_2_00007FF6F8456940
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8470D64 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF6F8470D64
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84665F8 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6F84665F8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F84665F8 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6F84665F8
Source: KuponcuBaba.exe, 00000007.00000002.559730683.0000027F04430000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWopti%SystemRoot%\system32\mswsock.dllvailable on all platforms!

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\KuponcuBaba.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845A95C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6F845A95C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A70C90 LoadLibraryA,GetProcAddress,GetCurrentThread,RtlWow64SetThreadContext, 7_2_70A70C90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8472930 GetProcessHeap, 1_2_00007FF6F8472930
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845A190 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 1_2_00007FF6F845A190
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845A95C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6F845A95C
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845AB04 SetUnhandledExceptionFilter, 1_2_00007FF6F845AB04
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845A344 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF6F845A344
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8469F80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6F8469F80
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A95380 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_70A95380
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_00007FF6F845A190 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 7_2_00007FF6F845A190

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Thread register set: target process: 64 Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Thread register set: target process: 64 Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Thread register set: target process: 64 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Users\user\Desktop\KuponcuBaba.exe C:\Users\user\Desktop\KuponcuBaba.exe Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @echo off Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography\hazmat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography\hazmat\bindings VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\certifi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\cryptography-37.0.4.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\selenium VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\selenium\webdriver VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\selenium\webdriver\common VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\selenium\webdriver\common\devtools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\selenium\webdriver\remote VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_pytransform.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_pytransform.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_pytransform.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_queue.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\_uuid.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28202\win32clipboard.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Queries volume information: C:\Users\user\Desktop\KuponcuBaba.exe VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8478950 cpuid 1_2_00007FF6F8478950
Source: C:\Users\user\Desktop\KuponcuBaba.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F845A840 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00007FF6F845A840
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 1_2_00007FF6F8474DC8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 1_2_00007FF6F8474DC8
Source: C:\Users\user\Desktop\KuponcuBaba.exe Code function: 7_2_70A70CFC GetVersion,GetCurrentThread, 7_2_70A70CFC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 778230 Sample: KuponcuBaba.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 52 6 KuponcuBaba.exe 63 2->6         started        file3 22 C:\Users\user\AppData\...\win32clipboard.pyd, PE32+ 6->22 dropped 24 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 6->24 dropped 26 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 6->26 dropped 28 21 other files (none is malicious) 6->28 dropped 32 Contains functionality to infect the boot sector 6->32 10 KuponcuBaba.exe 1 6->10         started        14 conhost.exe 6->14         started        signatures4 process5 dnsIp6 30 sunucu.troyagame.com 159.253.33.92, 443, 49703, 49704 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 10->30 34 Modifies the context of a thread in another process (thread injection) 10->34 36 Hides threads from debuggers 10->36 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        20 cmd.exe 1 10->20         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
159.253.33.92
 sunucu.troyagame.com Turkey
51559 NETINTERNETNetinternetBilisimTeknolojileriASTR false

Contacted Domains

Name IP Active
sunucu.troyagame.com 159.253.33.92 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sunucu.troyagame.com/ false
  • Avira URL Cloud: safe
 unknown