Edit tour

Windows Analysis Report
w22319us3M.exe

Overview

General Information

Sample name:	w22319us3M.exe renamed because original name is a hash value
Original sample name:	58dd20c846afcde669280ef51d04e62f.exe
Analysis ID:	1581394
MD5:	58dd20c846afcde669280ef51d04e62f
SHA1:	ffa7c3030c82f740a7f41bd67330e2648f115890
SHA256:	e93860174210eb29039c999d08a9c132a7750c583d57ebcfbda4bcee2634fd00
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files to the document folder of the user

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

w22319us3M.exe (PID: 4980 cmdline: "C:\Users\user\Desktop\w22319us3M.exe" MD5: 58DD20C846AFCDE669280EF51D04E62F)

GCIPC88T1V3Y5G2CGGZMZF.exe (PID: 3812 cmdline: "C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe" MD5: E8986E2F122CDFCFED4853174606574F)

chrome.exe (PID: 2920 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2224,i,6748778520308675678,4762310437119586897,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 8096 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7680 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2400,i,10826734570849083507,2192603502781811824,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 6128 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KFHJJJKKFH.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

KFHJJJKKFH.exe (PID: 6180 cmdline: "C:\Users\user\Documents\KFHJJJKKFH.exe" MD5: 023D3E22C2DF966B7EC6B1950A2FBC95)

C2XE6J33GF4A861OXJC15F1M3NC83Q.exe (PID: 6192 cmdline: "C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe" MD5: 023D3E22C2DF966B7EC6B1950A2FBC95)

skotes.exe (PID: 7492 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 023D3E22C2DF966B7EC6B1950A2FBC95)

skotes.exe (PID: 7620 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 023D3E22C2DF966B7EC6B1950A2FBC95)

msedge.exe (PID: 7812 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2704 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1968,i,8730398777066644679,12218846822964699434,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

skotes.exe (PID: 7296 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 023D3E22C2DF966B7EC6B1950A2FBC95)

OiMp3TH.exe (PID: 2232 cmdline: "C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe" MD5: AB408F4EB577EDA6D98941EDE1B44863)

powershell.exe (PID: 7204 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kqafnifqcv_638708865856767870.exe (PID: 2228 cmdline: "C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe" MD5: 2A64267B616C528EE9618165671CCA9A)

86e84e5515.exe (PID: 4324 cmdline: "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

86e84e5515.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

59c9193d17.exe (PID: 7604 cmdline: "C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe" MD5: 87330F1877C33A5A6203C49075223B16)

ecc27e013f.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe" MD5: 01FBECB34B5AC1C9C3336C64817F1637)

4ee1ae93b7.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe" MD5: 4B28BC82A5E69BA553B5834D151D25A1)

WerFault.exe (PID: 5848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 1212 MD5: C31336C1EFC2CCB44B4326EA793040F2)

3237c2ad29.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe" MD5: 3B6A8C673CDBE5C6944E92E7DE9F75CF)

3237c2ad29.exe (PID: 7776 cmdline: "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe" MD5: 3B6A8C673CDBE5C6944E92E7DE9F75CF)

3237c2ad29.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe" MD5: 3B6A8C673CDBE5C6944E92E7DE9F75CF)

624913e255.exe (PID: 4676 cmdline: "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe" MD5: 982F741655AE237D2085045857E8AB6E)

624913e255.exe (PID: 5768 cmdline: "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe" MD5: 982F741655AE237D2085045857E8AB6E)

cmd.exe (PID: 6616 cmdline: cmd.exe /c taskkill.exe /F /IM "nvidia.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3228 cmdline: cmd.exe /c taskkill.exe /F /IM "svdhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6592 cmdline: taskkill.exe /F /IM "svdhost.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 6496 cmdline: cmd.exe /c taskkill.exe /F /IM "csrr.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2448 cmdline: cmd.exe /c taskkill.exe /F /IM "mnn.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3276 cmdline: cmd.exe /c taskkill.exe /F /IM "mme.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5436 cmdline: taskkill.exe /F /IM "mme.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 1252 cmdline: cmd.exe /c taskkill.exe /F /IM "nnu.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5260 cmdline: taskkill.exe /F /IM "nnu.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 6532 cmdline: cmd.exe /c taskkill.exe /F /IM "lss.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 980 cmdline: cmd.exe /c taskkill.exe /F /IM "onn.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2920 cmdline: cmd.exe /c taskkill.exe /F /IM "u-eng.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4712 cmdline: taskkill.exe /F /IM "u-eng.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

b310885a4c.exe (PID: 4460 cmdline: "C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe" MD5: CB97797381331EC96CA770399B1E0E02)

525f5f9628.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe" MD5: E8986E2F122CDFCFED4853174606574F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Threatname: LummaC

{"C2 url": ["sustainskelet.lat", "grannyejh.lat", "energyaffai.lat", "necklacebudi.lat", "aspecteirs.lat", "discokeyus.lat", "rapeflowwj.lat", "crosshuaht.lat"], "Build id": "7uZzAf--"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000002.4575330103.0000000000631000.00000040.00000001.01000000.00000020.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.3027431904.0000000000BB1000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000004.00000002.2548648752.00000000007A1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000021.00000002.3575167111.00000000044DA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4670882680.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000002.3071803296.0000000000321000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000002.3878868238.000000000142B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.4715017228.0000000004B30000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002C.00000002.4580749981.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.2592560272.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.4675874053.0000000000EA8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1708:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000025.00000003.4575525882.0000000000D85000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: w22319us3M.exe PID: 4980	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: w22319us3M.exe PID: 4980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: w22319us3M.exe PID: 4980	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 86e84e5515.exe PID: 7616	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 86e84e5515.exe PID: 7616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 86e84e5515.exe PID: 7616	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 3237c2ad29.exe PID: 7784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3237c2ad29.exe PID: 7784	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
35.2.3237c2ad29.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.3237c2ad29.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
33.2.3237c2ad29.exe.45ecf38.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
33.2.3237c2ad29.exe.42fb8f0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
33.2.3237c2ad29.exe.42fb8f0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.skotes.exe.ad0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
33.0.3237c2ad29.exe.ef0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
33.0.3237c2ad29.exe.ef0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
33.2.3237c2ad29.exe.42c39b8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
33.2.3237c2ad29.exe.42c39b8.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
33.2.3237c2ad29.exe.42c39b8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
33.2.3237c2ad29.exe.42c39b8.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xf10c:$s1: file:/// 0x7b0ad:$s1: file:/// 0xf01c:$s2: {11111-22222-10009-11112} 0xf09c:$s3: {11111-22222-50001-00000} 0x7af31:$s3: {11111-22222-50001-00000} 0x79108:$s4: get_Module 0xe890:$s5: Reverse 0x79517:$s5: Reverse 0x1eafde:$s5: Reverse 0xcd07:$s6: BlockCopy 0x1eafc8:$s7: ReadByte 0x7b0bf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
33.2.3237c2ad29.exe.42fb8f0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
28.2.KFHJJJKKFH.exe.320000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
16.2.skotes.exe.ad0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.skotes.exe.ad0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.7a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
44.2.525f5f9628.exe.630000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
44.2.525f5f9628.exe.630000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b310885a4c.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe, ParentProcessId: 2232, ParentProcessName: OiMp3TH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc', ProcessId: 7204, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe", ParentImage: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe, ParentProcessId: 3812, ParentProcessName: GCIPC88T1V3Y5G2CGGZMZF.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 2920, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b310885a4c.exe

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe,"C:\ProgramData\Samsung\svdhost.exe","C:\Users\user\AppData\Roaming\Fsdisk\Moderax\svdhost.exe","C:\Users\user\AppData\Local\Alexa\Virtual\csrr.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe, ProcessId: 5768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe, ParentProcessId: 2232, ParentProcessName: OiMp3TH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc', ProcessId: 7204, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: w22319us3M.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://pancakedipyps.click/api&C	Avira URL Cloud: Label: malware
Source: https://hummskitnj.buzz/	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php84N	Avira URL Cloud: Label: malware
Source: https://hummskitnj.buzz/uo	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/e8M	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/apiQmW3	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/6C	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/apiN	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/nsx/random.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php----GV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn	Avira URL Cloud: Label: malware
Source: https://hummskitnj.buzz/d	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dlllS	Avira URL Cloud: Label: malware
Source: https://hummskitnj.buzz/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllcA.n	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/x	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/martin/random.exe#	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpSxS	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/api2LiK	Avira URL Cloud: Label: malware
Source: https://hummskitnj.buzz:443/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php2001	Avira URL Cloud: Label: malware
Source: https://hummskitnj.buzz/apisk	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 33.2.3237c2ad29.exe.45ecf38.1.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["sustainskelet.lat", "grannyejh.lat", "energyaffai.lat", "necklacebudi.lat", "aspecteirs.lat", "discokeyus.lat", "rapeflowwj.lat", "crosshuaht.lat"], "Build id": "7uZzAf--"}
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OiMp3TH[1].exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\soft[1]	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Y-Cleaner.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: w22319us3M.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OiMp3TH[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: w22319us3M.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: 185.215.113.43
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: S-%lu-
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: abc3bc1985
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: skotes.exe
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Startup
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: rundll32
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Programs
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: %USERPROFILE%
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: cred.dll
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: clip.dll
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: http://
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: https://
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: /quiet
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: /Plugins/
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: &unit=
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: shell32.dll
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: kernel32.dll
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ProgramData\
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: AVAST Software
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Kaspersky Lab
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Panda Security
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Doctor Web
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: 360TotalSecurity
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Bitdefender
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Norton
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Sophos
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Comodo
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: WinDefender
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: 0123456789
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ------
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ?scr=1
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ComputerName
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: -unicode-
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: VideoID
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ProductName
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: CurrentBuild
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: rundll32.exe
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: && Exit"
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: " && ren
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Powershell.exe
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: random
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 7uZzAf--
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 07
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 01
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 20
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 25
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetProcAddress
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: LoadLibraryA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: lstrcatA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: OpenEventA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateEventA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CloseHandle
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Sleep
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: VirtualFree
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetSystemInfo
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: VirtualAlloc
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HeapAlloc
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetComputerNameA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: lstrcpyA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetProcessHeap
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetCurrentProcess
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: lstrlenA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ExitProcess
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetSystemTime
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: advapi32.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: gdi32.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: user32.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: crypt32.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetUserNameA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateDCA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetDeviceCaps
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ReleaseDC
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sscanf
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: VMwareVMware
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HAL9TH
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: JohnDoe
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DISPLAY
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: http://185.215.113.206
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: stok
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetFileAttributesA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HeapFree
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetFileSize
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GlobalSize
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: IsWow64Process
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Process32Next
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetLocalTime
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: FreeLibrary
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetVolumeInformationA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Process32First
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetLocaleInfoA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetModuleFileNameA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DeleteFileA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: FindNextFileA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: LocalFree
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: FindClose
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: LocalAlloc
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetFileSizeEx
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ReadFile
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SetFilePointer
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: WriteFile
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateFileA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: FindFirstFileA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CopyFileA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: VirtualProtect
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetLastError
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: lstrcpynA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: MultiByteToWideChar
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GlobalFree
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: WideCharToMultiByte
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GlobalAlloc
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: OpenProcess
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: TerminateProcess
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetCurrentProcessId
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: gdiplus.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ole32.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: bcrypt.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: wininet.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: shlwapi.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: shell32.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: rstrtmgr.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SelectObject
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BitBlt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DeleteObject
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateCompatibleDC
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdiplusStartup
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdiplusShutdown
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdipDisposeImage
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GdipFree
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CoUninitialize
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CoInitialize
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CoCreateInstance
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BCryptDecrypt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BCryptSetProperty
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BCryptDestroyKey
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetWindowRect
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetDesktopWindow
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetDC
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CloseWindow
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: wsprintfA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CharToOemW
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: wsprintfW
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RegQueryValueExA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RegEnumKeyExA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RegOpenKeyExA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RegCloseKey
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RegEnumValueA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CryptUnprotectData
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SHGetFolderPathA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ShellExecuteExA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: InternetOpenUrlA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: InternetConnectA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: InternetCloseHandle
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HttpSendRequestA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HttpOpenRequestA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: InternetReadFile
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: InternetCrackUrlA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: StrCmpCA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: StrStrA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: StrCmpCW
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: PathMatchSpecA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RmStartSession
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RmRegisterResources
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RmGetList
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: RmEndSession
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_open
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_step
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_column_text
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_finalize
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_close
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3_column_blob
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: encrypted_key
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: PATH
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: NSS_Init
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: NSS_Shutdown
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: PK11_FreeSlot
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: PK11_Authenticate
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: C:\ProgramData\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: browser:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: profile:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: url:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: login:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: password:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Opera
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: OperaGX
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Network
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: cookies
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: .txt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: TRUE
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: FALSE
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: autofill
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: history
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: cc
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: name:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: month:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: year:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: card:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Cookies
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Login Data
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Web Data
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: History
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: logins.json
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: formSubmitURL
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: usernameField
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: encryptedUsername
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: encryptedPassword
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: guid
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: cookies.sqlite
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: formhistory.sqlite
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: places.sqlite
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: plugins
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Local Extension Settings
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Sync Extension Settings
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: IndexedDB
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Opera Stable
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Opera GX Stable
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: CURRENT
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: chrome-extension_
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Local State
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: profiles.ini
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: chrome
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: opera
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: firefox
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: wallets
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ProductName
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: x32
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: x64
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DisplayName
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DisplayVersion
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Network Info:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - IP: IP?
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Country: ISO?
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: System Summary:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - HWID:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - OS:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Architecture:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - UserName:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Computer Name:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Local Time:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - UTC:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Language:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Keyboards:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Laptop:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Running Path:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - CPU:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Threads:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Cores:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - RAM:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - Display Resolution:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: - GPU:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: User Agents:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Installed Apps:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: All Users:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Current User:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Process List:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: system_info.txt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: freebl3.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: mozglue.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: msvcp140.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: nss3.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: softokn3.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: vcruntime140.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Temp\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: .exe
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: runas
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: open
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: /c start
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %DESKTOP%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %APPDATA%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %USERPROFILE%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %DOCUMENTS%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: %RECENT%
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: *.lnk
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: files
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \discord\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Telegram Desktop\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: key_datas
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: map*
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Telegram
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Tox
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: *.tox
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: *.ini
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Password
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 00000001
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 00000002
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 00000003
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: 00000004
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Pidgin
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \.purple\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: accounts.xml
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: token:
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Software\Valve\Steam
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: SteamPath
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \config\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ssfn*
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: config.vdf
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DialogConfig.vdf
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: libraryfolders.vdf
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: loginusers.vdf
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Steam\
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: sqlite3.dll
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: done
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: soft
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: https
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: POST
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: HTTP/1.1
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: hwid
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: build
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: token
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: file_name
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: file
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: message
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C53A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C53A9A0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C534440 PK11_PrivDecrypt,	3_2_6C534440
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C504420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6C504420
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5344C0 PK11_PubEncrypt,	3_2_6C5344C0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	3_2_6C5825B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C53A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	3_2_6C53A650
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C518670 PK11_ExportEncryptedPrivKeyInfo,	3_2_6C518670
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C51E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	3_2_6C51E6E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	3_2_6C55A730
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C560180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	3_2_6C560180
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5343B0 PK11_PubEncryptPKCS1,PR_SetError,	3_2_6C5343B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C557C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	3_2_6C557C00
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C517D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	3_2_6C517D60
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	3_2_6C55BD30
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C559EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	3_2_6C559EC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C533FF0 PK11_PrivDecryptPKCS1,	3_2_6C533FF0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C533850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	3_2_6C533850
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C539840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	3_2_6C539840
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55DA40 SEC_PKCS7ContentIsEncrypted,	3_2_6C55DA40

Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_6117489b-5

Source: w22319us3M.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: mozglue.pdbP source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3051309512.000000006F8DD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb@ source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: app_mobySetup.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: OiMp3TH.exe, 00000011.00000000.2909797422.0000000000472000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: PE.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000002.3627358743.00000000059A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdbd- source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: mozglue.pdb source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3051309512.000000006F8DD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: 59c9193d17.exe, 0000001E.00000003.4362793851.000000000262A000.00000004.00000800.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4422791869.0000000000AFC000.00000002.00000001.01000000.00000015.sdmp, 59c9193d17.exe, 0000001E.00000000.3069050036.0000000000AFC000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\xevoEHqwR.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000044DA000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000002.3654697563.0000000005D50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	IPs: 185.215.113.43

Yara detected Generic Downloader

Source: Yara match	File source: 33.2.3237c2ad29.exe.42fb8f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.3237c2ad29.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe, type: DROPPED

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C4ECC60 PR_Recv,

3_2_6C4ECC60

Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://.css
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://.jpg
Source: 4ee1ae93b7.exe, 00000020.00000002.4676302235.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download
Source: 4ee1ae93b7.exe, 00000020.00000003.4329511884.0000000005656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: 4ee1ae93b7.exe, 00000020.00000002.4676302235.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download43
Source: 4ee1ae93b7.exe, 00000020.00000002.4676302235.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000002.4676302235.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download
Source: w22319us3M.exe, 00000000.00000003.2341914882.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe:
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: w22319us3M.exe, 00000000.00000003.2342041894.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: w22319us3M.exe, 00000000.00000003.2341914882.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe2
Source: w22319us3M.exe, 00000000.00000003.2341914882.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/we
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe$
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exee1395d71
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/405117-2476756634-1003
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll)A
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll.
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll3B
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dlllS
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllcA.n
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/C:
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/J
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php----GV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/x
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php84N
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpJ~
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpSxS
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpU
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/s
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpd2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206oM
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2001
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpp
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpsk
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ons
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/6151862750/OiMp3TH.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/6151862750/OiMp3TH.exeXYZ0123456789
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/Krokodyl02/random.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/fate/random.exe/
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/fate/random.exe_
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exeR
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exeuNko/index.phpS
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/martin/random.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/martin/random.exe#
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/nsx/random.exe
Source: skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique2/random.exe
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://axschema.org/contact/postalCode/businessDhttp://axschema.org/contact/IM/AIMDhttp://axschema.o
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microP8
Source: w22319us3M.exe, 00000000.00000003.2219190464.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microh7
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp, ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4
Source: ecc27e013f.exe, 0000001F.00000003.3363387925.0000000001663000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363351203.000000000165E000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3529390805.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363763677.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: ecc27e013f.exe, 0000001F.00000003.3363387925.0000000001663000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363351203.000000000165E000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3529390805.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363763677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0M
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://namespace.google.com/openid/xmlns
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://openid.net/extensions/sreg/1.1
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://openid.net/extensions/sreg/1.14http://openid.net/sreg/1.04http://openid.net/sreg/1.1
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://openid.net/signon/1.1
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://openid.net/sreg/1.05http://openid.net/sreg/1.1
Source: 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://openid.net/srv/ax/1.0
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://openid.net/xmlns/1.09http://openid.net/signon/1.0
Source: OiMp3TH.exe, 00000011.00000002.4682579427.00000000028FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: OiMp3TH.exe, 00000011.00000002.4682579427.00000000028FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/none
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/phishing-resistantxhttp://schemas.openid.net/pape/po
Source: OiMp3TH.exe, 00000011.00000002.4682579427.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/auth/2.0
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/auth/2.0$dnoa.request_nonce
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/auth/2.0/signonOhttp://specs.openid.net/auth/2.0/serverehttp://specs.openid.
Source: 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/oauth/1.0
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/pape/1.0
Source: 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0/icon
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0/mode/popup
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0ghttp://specs.openid.net/extensions/ui/1.0/lang-pref
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0hhttp://specs.openid.net/extensions/ui/1.0/mode/popupfhttp:
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/icon
Source: 4ee1ae93b7.exe, 00000020.00000003.4397814234.0000000005612000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4393904263.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4395509476.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4397575314.0000000005671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.0000000000253000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.0000000000253000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfthttp://www.idmanagement.gov/
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3051309512.000000006F8DD000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050681823.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 59c9193d17.exe, 0000001E.00000003.4404843636.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4418339450.0000000000640000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000003.4404843636.0000000000640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/
Source: 59c9193d17.exe, 0000001E.00000002.4418339450.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000003.4404843636.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4417282214.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/api
Source: 59c9193d17.exe, 0000001E.00000003.4404843636.0000000000659000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4418339450.0000000000659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/apiI
Source: 59c9193d17.exe, 0000001E.00000002.4418339450.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000003.4404843636.000000000067C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/api~
Source: 4ee1ae93b7.exe, 00000020.00000003.4397814234.0000000005612000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4393904263.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4395509476.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4397575314.0000000005671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g-cleanit.hk
Source: OiMp3TH.exe, 00000011.00000000.2909797422.0000000000472000.00000002.00000001.01000000.0000000F.sdmp, OiMp3TH.exe, 00000011.00000002.4682579427.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/tpuyikkdktyh.exe
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/api
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/apid
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/apisk
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/d
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/pib
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz/uo
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz:443/api
Source: 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 4ee1ae93b7.exe, 00000020.00000003.4397814234.0000000005612000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4393904263.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4395509476.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4397575314.0000000005671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: 3237c2ad29.exe, 00000023.00000002.3878347203.0000000001409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: 3237c2ad29.exe, 00000023.00000002.3879091111.0000000001478000.00000004.00000020.00020000.00000000.sdmp, 3237c2ad29.exe, 00000023.00000002.3879169239.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: 3237c2ad29.exe, 00000023.00000002.3879091111.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api8.I
Source: 3237c2ad29.exe, 00000023.00000002.3879091111.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apit
Source: w22319us3M.exe, 00000000.00000003.2134093790.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2133913855.0000000005558000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2341850942.0000000005565000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2164465296.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2342041894.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2134637238.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2165143831.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2341720759.0000000005565000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2133938606.0000000005566000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/
Source: w22319us3M.exe, 00000000.00000003.2205272043.0000000005565000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2194727360.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2341850942.0000000005565000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2341720759.0000000005565000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2205461081.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/V?
Source: w22319us3M.exe, 00000000.00000003.2219190464.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api
Source: w22319us3M.exe, 00000000.00000003.2133913855.0000000005558000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2139392141.000000000555F000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2134157737.000000000555F000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2141076975.000000000555F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api2LiK
Source: w22319us3M.exe, 00000000.00000003.2243818179.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2243630168.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2219190464.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api8
Source: w22319us3M.exe, 00000000.00000003.2341914882.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiB
Source: w22319us3M.exe, 00000000.00000003.2163516127.0000000005559000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2165024692.0000000005559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiQmW3
Source: w22319us3M.exe, 00000000.00000003.2194742777.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apire
Source: w22319us3M.exe, 00000000.00000003.2194727360.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2164465296.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2165143831.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2172864986.0000000005569000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/e8M
Source: 86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3165689717.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3059738732.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.000000000079E000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3059682313.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251313145.000000000079E000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251662411.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: 86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/6C
Source: 86e84e5515.exe, 00000019.00000003.3134583009.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3134679618.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/95
Source: 86e84e5515.exe, 00000019.00000003.3250576498.0000000000815000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3096887321.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097916482.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: 86e84e5515.exe, 00000019.00000003.3134583009.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3134679618.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api&C
Source: 86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiN
Source: 86e84e5515.exe, 00000019.00000002.3251313145.0000000000781000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.0000000000781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/bmA
Source: 86e84e5515.exe, 00000019.00000003.3250194297.0000000000781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/jh
Source: 86e84e5515.exe, 00000019.00000002.3251313145.0000000000781000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.0000000000781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/ob
Source: 86e84e5515.exe, 00000019.00000002.3251662411.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/pik
Source: 86e84e5515.exe, 00000019.00000002.3251313145.0000000000781000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.0000000000781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api
Source: 86e84e5515.exe, 00000019.00000002.3251313145.0000000000781000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.0000000000781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apicrosoft
Source: 3237c2ad29.exe, 00000023.00000002.3880985272.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://parquedelriovaldivia.cl/
Source: 3237c2ad29.exe, 00000023.00000002.3879091111.0000000001478000.00000004.00000020.00020000.00000000.sdmp, 3237c2ad29.exe, 00000023.00000002.3878347203.0000000001409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parquedelriovaldivia.cl/7427009775.exe
Source: 3237c2ad29.exe, 00000023.00000002.3880985272.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://parquedelriovaldivia.cl/A
Source: 3237c2ad29.exe, 00000023.00000002.3880985272.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://parquedelriovaldivia.cl/l
Source: OiMp3TH.exe, 00000011.00000002.4682579427.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: OiMp3TH.exe, 00000011.00000002.4682579427.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe
Source: 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2896813380.000000000BF98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: w22319us3M.exe, 00000000.00000003.2139855355.00000000057F2000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2896813380.000000000BF98000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: w22319us3M.exe, 00000000.00000003.2139855355.00000000057F2000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2896813380.000000000BF98000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: w22319us3M.exe, 00000000.00000003.2139855355.00000000057F2000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2896813380.000000000BF98000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 44.2.525f5f9628.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000020.00000002.4715017228.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000020.00000002.4675874053.0000000000EA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

PE file contains section with special chars

Source: w22319us3M.exe	Static PE information: section name:
Source: w22319us3M.exe	Static PE information: section name: .idata
Source: w22319us3M.exe	Static PE information: section name:
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name:
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name: .idata
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name:
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.3.dr	Static PE information: section name:
Source: random[1].exe.3.dr	Static PE information: section name: .idata
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name:
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: 525f5f9628.exe.16.dr	Static PE information: section name:
Source: 525f5f9628.exe.16.dr	Static PE information: section name: .idata
Source: random[3].exe.16.dr	Static PE information: section name:
Source: random[3].exe.16.dr	Static PE information: section name: .idata
Source: random[3].exe0.16.dr	Static PE information: section name:
Source: random[3].exe0.16.dr	Static PE information: section name: .idata
Source: random[3].exe0.16.dr	Static PE information: section name:
Source: b310885a4c.exe.16.dr	Static PE information: section name:
Source: b310885a4c.exe.16.dr	Static PE information: section name: .idata
Source: b310885a4c.exe.16.dr	Static PE information: section name:
Source: random[1].exe1.16.dr	Static PE information: section name:
Source: random[1].exe1.16.dr	Static PE information: section name: .idata
Source: random[1].exe1.16.dr	Static PE information: section name:
Source: ecc27e013f.exe.16.dr	Static PE information: section name:
Source: ecc27e013f.exe.16.dr	Static PE information: section name: .idata
Source: ecc27e013f.exe.16.dr	Static PE information: section name:
Source: random[2].exe.16.dr	Static PE information: section name:
Source: random[2].exe.16.dr	Static PE information: section name: .idata
Source: random[2].exe.16.dr	Static PE information: section name:
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name:
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name: .idata
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name:

PE file has nameless sections

Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6DD0	0_3_00CC6DD0
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6DE0	0_3_00CC6DE0
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00C9DB50	0_3_00C9DB50
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC6C79	0_3_00CC6C79
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C48AC60	3_2_6C48AC60
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C546C00	3_2_6C546C00
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55AC30	3_2_6C55AC30
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C47ECC0	3_2_6C47ECC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4DECD0	3_2_6C4DECD0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5AAD50	3_2_6C5AAD50
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C54ED70	3_2_6C54ED70
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C608D20	3_2_6C608D20
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C60CDC0	3_2_6C60CDC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C516D90	3_2_6C516D90
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C484DB0	3_2_6C484DB0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C51EE70	3_2_6C51EE70
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C560E20	3_2_6C560E20
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C48AEC0	3_2_6C48AEC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C520EC0	3_2_6C520EC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C506E90	3_2_6C506E90
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4EEF40	3_2_6C4EEF40
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C542F70	3_2_6C542F70
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C486F10	3_2_6C486F10
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C0F20	3_2_6C5C0F20
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55EFF0	3_2_6C55EFF0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C480FE0	3_2_6C480FE0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C8FB0	3_2_6C5C8FB0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C48EFB0	3_2_6C48EFB0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C554840	3_2_6C554840
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4D0820	3_2_6C4D0820
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C50A820	3_2_6C50A820
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5868E0	3_2_6C5868E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4B8960	3_2_6C4B8960
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4D6900	3_2_6C4D6900
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C59C9E0	3_2_6C59C9E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4B49F0	3_2_6C4B49F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5409B0	3_2_6C5409B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5109A0	3_2_6C5109A0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C53A9A0	3_2_6C53A9A0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4FCA70	3_2_6C4FCA70
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C52EA00	3_2_6C52EA00
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C538A30	3_2_6C538A30
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4FEA80	3_2_6C4FEA80
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C586BE0	3_2_6C586BE0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C520BA0	3_2_6C520BA0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C498460	3_2_6C498460
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C50A430	3_2_6C50A430
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E4420	3_2_6C4E4420
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C51A4D0	3_2_6C51A4D0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4C64D0	3_2_6C4C64D0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5AA480	3_2_6C5AA480
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C8550	3_2_6C5C8550
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4D8540	3_2_6C4D8540
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C584540	3_2_6C584540
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C520570	3_2_6C520570
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E2560	3_2_6C4E2560
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C50E5F0	3_2_6C50E5F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C54A5E0	3_2_6C54A5E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4745B0	3_2_6C4745B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4DC650	3_2_6C4DC650
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4A46D0	3_2_6C4A46D0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4DE6E0	3_2_6C4DE6E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C51E6E0	3_2_6C51E6E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C500700	3_2_6C500700
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4AA7D0	3_2_6C4AA7D0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4CE070	3_2_6C4CE070
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C548010	3_2_6C548010
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C54C000	3_2_6C54C000
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C478090	3_2_6C478090
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55C0B0	3_2_6C55C0B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4900B0	3_2_6C4900B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E8140	3_2_6C4E8140
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C564130	3_2_6C564130
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4F6130	3_2_6C4F6130
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4801E0	3_2_6C4801E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C518250	3_2_6C518250
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C508260	3_2_6C508260
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C54A210	3_2_6C54A210
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C558220	3_2_6C558220
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C6062C0	3_2_6C6062C0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C54E2B0	3_2_6C54E2B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5522A0	3_2_6C5522A0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C488340	3_2_6C488340
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C516370	3_2_6C516370
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C2370	3_2_6C5C2370
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C482370	3_2_6C482370
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C59C360	3_2_6C59C360
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4F2320	3_2_6C4F2320
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4D43E0	3_2_6C4D43E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4B23A0	3_2_6C4B23A0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4DE3B0	3_2_6C4DE3B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C483C40	3_2_6C483C40
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5A9C40	3_2_6C5A9C40
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C491C30	3_2_6C491C30
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5BDCD0	3_2_6C5BDCD0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C541CE0	3_2_6C541CE0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E3D00	3_2_6C4E3D00
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C551DC0	3_2_6C551DC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C473D80	3_2_6C473D80
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C9D90	3_2_6C5C9D90
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C605E60	3_2_6C605E60
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5DBE70	3_2_6C5DBE70
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C58DE10	3_2_6C58DE10
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4A3EC0	3_2_6C4A3EC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4B5F20	3_2_6C4B5F20
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C475F30	3_2_6C475F30
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5D7F20	3_2_6C5D7F20
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C59DFC0	3_2_6C59DFC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C603FC0	3_2_6C603FC0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C52BFF0	3_2_6C52BFF0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4A1F90	3_2_6C4A1F90
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4DD810	3_2_6C4DD810
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55F8F0	3_2_6C55F8F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C48D8E0	3_2_6C48D8E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4B38E0	3_2_6C4B38E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5DB8F0	3_2_6C5DB8F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4FF960	3_2_6C4FF960
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C53D960	3_2_6C53D960
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5CF900	3_2_6C5CF900
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C535920	3_2_6C535920
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5199C0	3_2_6C5199C0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4B99D0	3_2_6C4B99D0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5179F0	3_2_6C5179F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E59F0	3_2_6C4E59F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C551990	3_2_6C551990
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C491980	3_2_6C491980
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C609A50	3_2_6C609A50
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4BFA10	3_2_6C4BFA10
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C57DA30	3_2_6C57DA30
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C481AE0	3_2_6C481AE0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55DAB0	3_2_6C55DAB0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C55FB60	3_2_6C55FB60
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4CBB20	3_2_6C4CBB20
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4C7BF0	3_2_6C4C7BF0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C565B90	3_2_6C565B90
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C471B80	3_2_6C471B80
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C549BB0	3_2_6C549BB0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4D9BA0	3_2_6C4D9BA0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C50D410	3_2_6C50D410
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C569430	3_2_6C569430
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4814E0	3_2_6C4814E0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C6014A0	3_2_6C6014A0

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: String function: 6C4A9B10 appears 99 times
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: String function: 6C5B9F30 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: String function: 6C4DC5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: String function: 6C4A3620 appears 93 times

Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 1212

Source: w22319us3M.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 44.2.525f5f9628.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000020.00000002.4715017228.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000020.00000002.4675874053.0000000000EA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: random[2].exe0.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 3237c2ad29.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Y-Cleaner.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: w22319us3M.exe	Static PE information: Section: ZLIB complexity 0.9995659722222222
Source: w22319us3M.exe	Static PE information: Section: isujduiu ZLIB complexity 0.9941501033136184
Source: random[3].exe0.16.dr	Static PE information: Section: ZLIB complexity 0.9995723549836601
Source: random[3].exe0.16.dr	Static PE information: Section: vhrjtgqb ZLIB complexity 0.994990476010863
Source: b310885a4c.exe.16.dr	Static PE information: Section: ZLIB complexity 0.9995723549836601
Source: b310885a4c.exe.16.dr	Static PE information: Section: vhrjtgqb ZLIB complexity 0.994990476010863
Source: random[1].exe.16.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: 86e84e5515.exe.16.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: random[1].exe1.16.dr	Static PE information: Section: lrpylste ZLIB complexity 0.9943323563117066
Source: ecc27e013f.exe.16.dr	Static PE information: Section: lrpylste ZLIB complexity 0.9943323563117066
Source: random[2].exe.16.dr	Static PE information: Section: dhwqlwvz ZLIB complexity 0.990112635501355
Source: 4ee1ae93b7.exe.16.dr	Static PE information: Section: dhwqlwvz ZLIB complexity 0.990112635501355
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: Section: ZLIB complexity 0.9983207449261993
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: Section: .data ZLIB complexity 0.9969605025245634

Source: skotes.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.3.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: KFHJJJKKFH.exe.3.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: OiMp3TH[1].exe.16.dr, Programm.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: OiMp3TH[1].exe.16.dr, Programm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: OiMp3TH.exe.16.dr, Programm.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: OiMp3TH.exe.16.dr, Programm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@122/1042@0/27

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C4E0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

3_2_6C4E0300

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\27NM92DY.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Mutant created: \Sessions\1\BaseNamedObjects\RandomMutex013013013
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7688
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03

Source: C:\Users\user\Desktop\w22319us3M.exe

File created: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Jump to behavior

Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "u-eng.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mme.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nnu.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "svdhost.exe")

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\w22319us3M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: w22319us3M.exe, 00000000.00000003.2086754561.00000000054DD000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086498646.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599333596.0000000005AB5000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2746192410.0000000005AA9000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3061212680.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3034139910.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3061212680.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032601516.0000000002E66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3038505657.0000000005BC9000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050578928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: w22319us3M.exe

ReversingLabs: Detection: 63%

Source: GCIPC88T1V3Y5G2CGGZMZF.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\w22319us3M.exe

File read: C:\Users\user\Desktop\w22319us3M.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\w22319us3M.exe "C:\Users\user\Desktop\w22319us3M.exe"
Source: C:\Users\user\Desktop\w22319us3M.exe	Process created: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe "C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe"
Source: C:\Users\user\Desktop\w22319us3M.exe	Process created: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe "C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe"
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2224,i,6748778520308675678,4762310437119586897,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2400,i,10826734570849083507,2192603502781811824,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1968,i,8730398777066644679,12218846822964699434,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe "C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe"
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Process created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KFHJJJKKFH.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KFHJJJKKFH.exe "C:\Users\user\Documents\KFHJJJKKFH.exe"
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe "C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe "C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe "C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe "C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe "C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe"
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 1212
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe "C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nvidia.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "csrr.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mnn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nnu.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "lss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "onn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "u-eng.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Users\user\Desktop\w22319us3M.exe	Process created: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe "C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Process created: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe "C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KFHJJJKKFH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2224,i,6748778520308675678,4762310437119586897,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2400,i,10826734570849083507,2192603502781811824,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1968,i,8730398777066644679,12218846822964699434,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe "C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe "C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe "C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe "C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe "C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe "C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe "C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe"
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Process created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KFHJJJKKFH.exe "C:\Users\user\Documents\KFHJJJKKFH.exe"
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nvidia.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "svdhost.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "csrr.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mnn.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mme.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nnu.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "lss.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "onn.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "u-eng.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"

Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Section loaded: kernel.appcore.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: apphelp.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: version.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: shfolder.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: uxtheme.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: windows.storage.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: wldp.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: profapi.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: sspicli.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: winhttp.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: webio.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: mswsock.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: iphlpapi.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: winnsi.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: dnsapi.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: rasadhlp.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: fwpuclnt.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: schannel.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: mskeyprotect.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: ntasn1.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: ncrypt.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: ncryptsslp.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: msasn1.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: cryptsp.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: rsaenh.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: cryptbase.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: gpapi.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: dpapi.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: kernel.appcore.dll
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: w22319us3M.exe

Static file information: File size 1860608 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: w22319us3M.exe

Static PE information: Raw size of isujduiu is bigger than: 0x100000 < 0x19c200

Source:	Binary string: mozglue.pdbP source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3051309512.000000006F8DD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb@ source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: app_mobySetup.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: OiMp3TH.exe, 00000011.00000000.2909797422.0000000000472000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: PE.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000002.3627358743.00000000059A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3050994366.000000006C60F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdbd- source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: mozglue.pdb source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3051309512.000000006F8DD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: 59c9193d17.exe, 0000001E.00000003.4362793851.000000000262A000.00000004.00000800.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4422791869.0000000000AFC000.00000002.00000001.01000000.00000015.sdmp, 59c9193d17.exe, 0000001E.00000000.3069050036.0000000000AFC000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\xevoEHqwR.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000044DA000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000002.3654697563.0000000005D50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdb source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Unpacked PE file: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack :EW;.rsrc:W;.idata :W;jvdduhrr:EW;adcgyevy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jvdduhrr:EW;adcgyevy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Unpacked PE file: 4.2.C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.7a0000.0.unpack :EW;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 9.2.skotes.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 10.2.skotes.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 16.2.skotes.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW;
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Unpacked PE file: 28.2.KFHJJJKKFH.exe.320000.0.unpack :EW;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ysynnfor:EW;lfcxdbpw:EW;.taggant:EW;
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Unpacked PE file: 29.2.kqafnifqcv_638708865856767870.exe.200000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Unpacked PE file: 31.2.ecc27e013f.exe.3c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lrpylste:EW;fpogxiqp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lrpylste:EW;fpogxiqp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Unpacked PE file: 32.2.4ee1ae93b7.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dhwqlwvz:EW;ondecqpq:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Unpacked PE file: 37.2.b310885a4c.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vhrjtgqb:EW;dzauhbuk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vhrjtgqb:EW;dzauhbuk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Unpacked PE file: 44.2.525f5f9628.exe.630000.0.unpack :EW;.rsrc:W;.idata :W;jvdduhrr:EW;adcgyevy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jvdduhrr:EW;adcgyevy:EW;.taggant:EW;

Source: OiMp3TH[1].exe.16.dr

Static PE information: 0x8D363D39 [Fri Jan 27 15:01:13 2045 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 3237c2ad29.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x1ecc70
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x144dcb
Source: random[1].exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: random[3].exe0.16.dr	Static PE information: real checksum: 0x1d6484 should be: 0x1d77f0
Source: b310885a4c.exe.16.dr	Static PE information: real checksum: 0x1d6484 should be: 0x1d77f0
Source: skotes.exe.4.dr	Static PE information: real checksum: 0x31b7aa should be: 0x31e500
Source: ecc27e013f.exe.16.dr	Static PE information: real checksum: 0x448a7f should be: 0x450c00
Source: 86e84e5515.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: random[1].exe.3.dr	Static PE information: real checksum: 0x31b7aa should be: 0x31e500
Source: 4ee1ae93b7.exe.16.dr	Static PE information: real checksum: 0x1db80b should be: 0x1d6182
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: real checksum: 0x31b7aa should be: 0x31e500
Source: 525f5f9628.exe.16.dr	Static PE information: real checksum: 0x4ed61f should be: 0x4e9ce4
Source: OiMp3TH.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x20663
Source: random[2].exe0.16.dr	Static PE information: real checksum: 0x0 should be: 0x1ecc70
Source: w22319us3M.exe	Static PE information: real checksum: 0x1ca4c4 should be: 0x1c7ce7
Source: random[1].exe1.16.dr	Static PE information: real checksum: 0x448a7f should be: 0x450c00
Source: random[3].exe.16.dr	Static PE information: real checksum: 0x4ed61f should be: 0x4e9ce4
Source: OiMp3TH[1].exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x20663
Source: Y-Cleaner.exe.32.dr	Static PE information: real checksum: 0x0 should be: 0x170243
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: real checksum: 0x4ed61f should be: 0x4e9ce4
Source: random[2].exe.16.dr	Static PE information: real checksum: 0x1db80b should be: 0x1d6182
Source: KFHJJJKKFH.exe.3.dr	Static PE information: real checksum: 0x31b7aa should be: 0x31e500

Source: w22319us3M.exe	Static PE information: section name:
Source: w22319us3M.exe	Static PE information: section name: .idata
Source: w22319us3M.exe	Static PE information: section name:
Source: w22319us3M.exe	Static PE information: section name: isujduiu
Source: w22319us3M.exe	Static PE information: section name: ynrufuji
Source: w22319us3M.exe	Static PE information: section name: .taggant
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name:
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name: .idata
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name: jvdduhrr
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name: adcgyevy
Source: GCIPC88T1V3Y5G2CGGZMZF.exe.0.dr	Static PE information: section name: .taggant
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name:
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name: .idata
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name: ysynnfor
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name: lfcxdbpw
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.3.dr	Static PE information: section name:
Source: random[1].exe.3.dr	Static PE information: section name: .idata
Source: random[1].exe.3.dr	Static PE information: section name: ysynnfor
Source: random[1].exe.3.dr	Static PE information: section name: lfcxdbpw
Source: random[1].exe.3.dr	Static PE information: section name: .taggant
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name:
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name: .idata
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name: ysynnfor
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name: lfcxdbpw
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name: .taggant
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name: ysynnfor
Source: skotes.exe.4.dr	Static PE information: section name: lfcxdbpw
Source: skotes.exe.4.dr	Static PE information: section name: .taggant
Source: 525f5f9628.exe.16.dr	Static PE information: section name:
Source: 525f5f9628.exe.16.dr	Static PE information: section name: .idata
Source: 525f5f9628.exe.16.dr	Static PE information: section name: jvdduhrr
Source: 525f5f9628.exe.16.dr	Static PE information: section name: adcgyevy
Source: 525f5f9628.exe.16.dr	Static PE information: section name: .taggant
Source: random[3].exe.16.dr	Static PE information: section name:
Source: random[3].exe.16.dr	Static PE information: section name: .idata
Source: random[3].exe.16.dr	Static PE information: section name: jvdduhrr
Source: random[3].exe.16.dr	Static PE information: section name: adcgyevy
Source: random[3].exe.16.dr	Static PE information: section name: .taggant
Source: random[3].exe0.16.dr	Static PE information: section name:
Source: random[3].exe0.16.dr	Static PE information: section name: .idata
Source: random[3].exe0.16.dr	Static PE information: section name:
Source: random[3].exe0.16.dr	Static PE information: section name: vhrjtgqb
Source: random[3].exe0.16.dr	Static PE information: section name: dzauhbuk
Source: random[3].exe0.16.dr	Static PE information: section name: .taggant
Source: b310885a4c.exe.16.dr	Static PE information: section name:
Source: b310885a4c.exe.16.dr	Static PE information: section name: .idata
Source: b310885a4c.exe.16.dr	Static PE information: section name:
Source: b310885a4c.exe.16.dr	Static PE information: section name: vhrjtgqb
Source: b310885a4c.exe.16.dr	Static PE information: section name: dzauhbuk
Source: b310885a4c.exe.16.dr	Static PE information: section name: .taggant
Source: random[1].exe0.16.dr	Static PE information: section name: .fptable
Source: 59c9193d17.exe.16.dr	Static PE information: section name: .fptable
Source: random[1].exe1.16.dr	Static PE information: section name:
Source: random[1].exe1.16.dr	Static PE information: section name: .idata
Source: random[1].exe1.16.dr	Static PE information: section name:
Source: random[1].exe1.16.dr	Static PE information: section name: lrpylste
Source: random[1].exe1.16.dr	Static PE information: section name: fpogxiqp
Source: random[1].exe1.16.dr	Static PE information: section name: .taggant
Source: ecc27e013f.exe.16.dr	Static PE information: section name:
Source: ecc27e013f.exe.16.dr	Static PE information: section name: .idata
Source: ecc27e013f.exe.16.dr	Static PE information: section name:
Source: ecc27e013f.exe.16.dr	Static PE information: section name: lrpylste
Source: ecc27e013f.exe.16.dr	Static PE information: section name: fpogxiqp
Source: ecc27e013f.exe.16.dr	Static PE information: section name: .taggant
Source: random[2].exe.16.dr	Static PE information: section name:
Source: random[2].exe.16.dr	Static PE information: section name: .idata
Source: random[2].exe.16.dr	Static PE information: section name:
Source: random[2].exe.16.dr	Static PE information: section name: dhwqlwvz
Source: random[2].exe.16.dr	Static PE information: section name: ondecqpq
Source: random[2].exe.16.dr	Static PE information: section name: .taggant
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name:
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name: .idata
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name:
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name: dhwqlwvz
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name: ondecqpq
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name: .taggant
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBBCDC pushfd ; retf	0_3_00CBBD0A
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBBCD1 pushfd ; retn 003Eh	0_3_00CBBCD2
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBE898 push 6800CB2Bh; retf	0_3_00CBE89D
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBD024 push eax; retf	0_3_00CBD085
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC0038 pushad ; retf	0_3_00CC0039
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBCDAC push C800CBF6h; retf	0_3_00CBCDB1
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBE55D pushad ; retf	0_3_00CBE55E
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC32E1 push eax; ret	0_3_00CC3309
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC32E1 push eax; ret	0_3_00CC3309
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC32E1 push eax; ret	0_3_00CC3309
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC32E1 push eax; ret	0_3_00CC3309
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CC32E1 push eax; ret	0_3_00CC3309
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBEA9B push eax; retf	0_3_00CBEB31
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBEA91 pushad ; retf	0_3_00CBEA92
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBEA95 pushad ; retf	0_3_00CBEA96
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBEA1F pushad ; retf	0_3_00CBEA22
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBEA1C pushad ; retf	0_3_00CBEA1E
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBEA23 pushad ; retf	0_3_00CBEA26
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBE7BD pushad ; retf	0_3_00CBE7BE
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CBE71C pushad ; retf	0_3_00CBE71E
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EC3 push ds; retf	0_3_00CB1EC6
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EC3 push ds; retf	0_3_00CB1EC6
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EC3 push ds; retf	0_3_00CB1EC6
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EC1 push ds; retf	0_3_00CB1EC2
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EC1 push ds; retf	0_3_00CB1EC2
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EC1 push ds; retf	0_3_00CB1EC2
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EDB push ds; retf	0_3_00CB1EDE
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EDB push ds; retf	0_3_00CB1EDE
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1EDB push ds; retf	0_3_00CB1EDE
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1ED9 push ds; retf	0_3_00CB1EDA
Source: C:\Users\user\Desktop\w22319us3M.exe	Code function: 0_3_00CB1ED9 push ds; retf	0_3_00CB1EDA

Source: w22319us3M.exe	Static PE information: section name: entropy: 7.984271560443622
Source: w22319us3M.exe	Static PE information: section name: isujduiu entropy: 7.952916975061763
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.0.dr	Static PE information: section name: entropy: 6.9553451139803135
Source: random[1].exe.3.dr	Static PE information: section name: entropy: 6.9553451139803135
Source: KFHJJJKKFH.exe.3.dr	Static PE information: section name: entropy: 6.9553451139803135
Source: skotes.exe.4.dr	Static PE information: section name: entropy: 6.9553451139803135
Source: random[3].exe0.16.dr	Static PE information: section name: entropy: 7.98038969887768
Source: random[3].exe0.16.dr	Static PE information: section name: vhrjtgqb entropy: 7.955488021374035
Source: b310885a4c.exe.16.dr	Static PE information: section name: entropy: 7.98038969887768
Source: b310885a4c.exe.16.dr	Static PE information: section name: vhrjtgqb entropy: 7.955488021374035
Source: random[1].exe1.16.dr	Static PE information: section name: lrpylste entropy: 7.95488352075432
Source: ecc27e013f.exe.16.dr	Static PE information: section name: lrpylste entropy: 7.95488352075432
Source: random[2].exe.16.dr	Static PE information: section name: dhwqlwvz entropy: 7.949015912615468
Source: 4ee1ae93b7.exe.16.dr	Static PE information: section name: dhwqlwvz entropy: 7.949015912615468
Source: random[2].exe0.16.dr	Static PE information: section name: .text entropy: 7.667674316543831
Source: 3237c2ad29.exe.16.dr	Static PE information: section name: .text entropy: 7.667674316543831
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name: entropy: 7.997894042340675
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name: entropy: 7.8446034009114705
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name: entropy: 7.910323865765355
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name: entropy: 7.889601543930096
Source: kqafnifqcv_638708865856767870.exe.17.dr	Static PE information: section name: .data entropy: 7.987204044077213
Source: Y-Cleaner.exe.32.dr	Static PE information: section name: .text entropy: 7.918511524700298

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

File created: C:\Users\user\Documents\KFHJJJKKFH.exe

Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe

Process created: "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OiMp3TH[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	File created: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\mfcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File created: C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\pywintypes27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\python27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\tcl85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\win32process.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\mfc90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\mpc\41678903251236549780	Jump to dropped file
Source: C:\Users\user\Desktop\w22319us3M.exe	File created: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\tk85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File created: C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\soft[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Jump to dropped file
Source: C:\Users\user\Desktop\w22319us3M.exe	File created: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\mfcm90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\win32event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\Documents\KFHJJJKKFH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024342001\540b6da6f6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\bz2.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\soft[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI46762\mpc\41678903251236549780	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b310885a4c.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 525f5f9628.exe

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b310885a4c.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b310885a4c.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 525f5f9628.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 525f5f9628.exe

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\w22319us3M.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\w22319us3M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\w22319us3M.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\w22319us3M.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: PROCMON.EXE
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: X64DBG.EXE
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: WINDBG.EXE
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 2593CE second address: 2593D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 2593D4 second address: 258C89 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D3773h], eax 0x0000000f push dword ptr [ebp+122D0671h] 0x00000015 mov dword ptr [ebp+122D3773h], ebx 0x0000001b sub dword ptr [ebp+122D2107h], ecx 0x00000021 call dword ptr [ebp+122D1B17h] 0x00000027 pushad 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D1AFFh], eax 0x0000002f popad 0x00000030 xor eax, eax 0x00000032 pushad 0x00000033 jmp 00007F1A14C6D089h 0x00000038 mov bx, cx 0x0000003b popad 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 stc 0x00000041 mov dword ptr [ebp+122D3ABCh], eax 0x00000047 clc 0x00000048 mov esi, 0000003Ch 0x0000004d mov dword ptr [ebp+122D1AFFh], eax 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 jmp 00007F1A14C6D07Eh 0x0000005c lodsw 0x0000005e jmp 00007F1A14C6D07Ch 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 sub dword ptr [ebp+122D1AFFh], edi 0x0000006d clc 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 jo 00007F1A14C6D07Ch 0x00000078 mov dword ptr [ebp+122D1AFFh], ecx 0x0000007e sub dword ptr [ebp+122D2313h], ebx 0x00000084 nop 0x00000085 jmp 00007F1A14C6D084h 0x0000008a push eax 0x0000008b push eax 0x0000008c push edx 0x0000008d push eax 0x0000008e push edx 0x0000008f ja 00007F1A14C6D076h 0x00000095 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 258C89 second address: 258C93 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1A1531EE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C01C5 second address: 3C01CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C01CE second address: 3C01DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F1A1531EE86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CB853 second address: 3CB857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CB857 second address: 3CB861 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1A1531EE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF5F3 second address: 3CF5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF5F9 second address: 3CF5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF6DA second address: 3CF6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF6DE second address: 3CF6FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a jno 00007F1A1531EE88h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF6FA second address: 3CF6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF6FE second address: 3CF772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F1A1531EE9Eh 0x0000000c jmp 00007F1A1531EE98h 0x00000011 popad 0x00000012 pop eax 0x00000013 mov dword ptr [ebp+122D2AC8h], esi 0x00000019 push 00000003h 0x0000001b mov dword ptr [ebp+122D2AD4h], ebx 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D1BACh], edx 0x00000029 push 00000003h 0x0000002b mov si, dx 0x0000002e call 00007F1A1531EE89h 0x00000033 jmp 00007F1A1531EE91h 0x00000038 push eax 0x00000039 pushad 0x0000003a jmp 00007F1A1531EE94h 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF772 second address: 3CF7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F1A14C6D089h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1A14C6D07Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF839 second address: 3CF8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F1A1531EE8Dh 0x0000000a jmp 00007F1A1531EE8Dh 0x0000000f popad 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F1A1531EE88h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jc 00007F1A1531EE92h 0x00000032 jnl 00007F1A1531EE8Ch 0x00000038 push 00000000h 0x0000003a mov cx, si 0x0000003d call 00007F1A1531EE89h 0x00000042 jmp 00007F1A1531EE8Dh 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF8AA second address: 3CF8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF8AE second address: 3CF8B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CF96F second address: 3CF975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CFA10 second address: 3CFA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F1A1531EE88h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov edi, ecx 0x00000027 mov cx, 87D1h 0x0000002b call 00007F1A1531EE89h 0x00000030 push ebx 0x00000031 jg 00007F1A1531EE88h 0x00000037 pop ebx 0x00000038 push eax 0x00000039 push eax 0x0000003a push edi 0x0000003b jl 00007F1A1531EE86h 0x00000041 pop edi 0x00000042 pop eax 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 push edx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CFA65 second address: 3CFAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1A14C6D076h 0x0000000a popad 0x0000000b pop edx 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edx 0x0000000f jns 00007F1A14C6D078h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b ja 00007F1A14C6D08Bh 0x00000021 pushad 0x00000022 jmp 00007F1A14C6D081h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CFAB1 second address: 3CFB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 and si, C331h 0x0000000c push 00000003h 0x0000000e mov dh, 53h 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+122D24DCh], eax 0x00000018 push 00000003h 0x0000001a mov dword ptr [ebp+122D1B1Ch], eax 0x00000020 push 6A706C38h 0x00000025 jo 00007F1A1531EE94h 0x0000002b jmp 00007F1A1531EE8Eh 0x00000030 add dword ptr [esp], 558F93C8h 0x00000037 jp 00007F1A1531EE8Bh 0x0000003d lea ebx, dword ptr [ebp+1244A531h] 0x00000043 mov edi, ebx 0x00000045 push eax 0x00000046 pushad 0x00000047 pushad 0x00000048 push esi 0x00000049 pop esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3CFB0B second address: 3CFB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F1A14C6D076h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F04ED second address: 3F0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1A1531EE86h 0x0000000a jmp 00007F1A1531EE98h 0x0000000f popad 0x00000010 jmp 00007F1A1531EE92h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C51A4 second address: 3C51A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C51A8 second address: 3C51AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EE8C3 second address: 3EE8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EE8C7 second address: 3EE8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EEA37 second address: 3EEA4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EEB87 second address: 3EEB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EED32 second address: 3EED3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F1A14C6D076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EED3E second address: 3EED42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EED42 second address: 3EED46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EEE6B second address: 3EEE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BAFE2 second address: 3BAFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFCDB second address: 3EFCEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1A1531EE8Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFCEB second address: 3EFD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D07Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F1A14C6D076h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFD09 second address: 3EFD0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFE60 second address: 3EFE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D080h 0x00000009 je 00007F1A14C6D076h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFE7D second address: 3EFEA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F1A1531EE86h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F1A1531EE96h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFEA2 second address: 3EFEA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFEA8 second address: 3EFED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1A1531EE94h 0x00000010 jnc 00007F1A1531EE92h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFED9 second address: 3EFEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFEDF second address: 3EFEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3EFEED second address: 3EFEF7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1A14C6D076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F0042 second address: 3F004C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1A1531EE86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F004C second address: 3F005A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F005A second address: 3F0060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F0060 second address: 3F009A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007F1A14C6D076h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F1A14C6D087h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F009A second address: 3F00AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3B7A86 second address: 3B7AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F1A14C6D086h 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3B7AAB second address: 3B7ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE98h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3F799A second address: 3F799E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FC366 second address: 3FC379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FB785 second address: 3FB7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D07Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1A14C6D07Dh 0x00000012 jmp 00007F1A14C6D07Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FB7AF second address: 3FB7B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FB90A second address: 3FB90E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FB90E second address: 3FB91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1A1531EE86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FBA8D second address: 3FBA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FBA93 second address: 3FBA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FBEDB second address: 3FBEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FC048 second address: 3FC04E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FC04E second address: 3FC05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D07Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FC05D second address: 3FC087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F1A1531EE86h 0x00000014 jmp 00007F1A1531EE96h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FC087 second address: 3FC08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FC08D second address: 3FC093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FE89B second address: 3FE89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FEF53 second address: 3FEF59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FEF59 second address: 3FEF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FF2B9 second address: 3FF2BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FF2BF second address: 3FF2C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FF2C4 second address: 3FF2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F1A1531EE86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FF3BD second address: 3FF3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FFAF3 second address: 3FFAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 401631 second address: 401648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 400CC9 second address: 400CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 400CCF second address: 400CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4020CD second address: 4020D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4020D1 second address: 4020DB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40426B second address: 404270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 404BE7 second address: 404C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F1A14C6D085h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 404C0B second address: 404C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 404C11 second address: 404CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushad 0x0000000c mov al, B5h 0x0000000e jmp 00007F1A14C6D07Eh 0x00000013 popad 0x00000014 call 00007F1A14C6D07Fh 0x00000019 mov ebx, dword ptr [ebp+122D3679h] 0x0000001f pop edx 0x00000020 popad 0x00000021 push 00000000h 0x00000023 jo 00007F1A14C6D076h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F1A14C6D078h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 jbe 00007F1A14C6D080h 0x0000004b jp 00007F1A14C6D07Ah 0x00000051 mov di, 76C6h 0x00000055 add si, 6A01h 0x0000005a xchg eax, ebx 0x0000005b jg 00007F1A14C6D08Dh 0x00000061 push eax 0x00000062 jo 00007F1A14C6D080h 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4091BA second address: 40922F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F1A1531EE88h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D36CFh], esi 0x00000028 sub bh, 00000077h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F1A1531EE88h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D28B8h], eax 0x0000004d push 00000000h 0x0000004f mov bx, CE89h 0x00000053 xchg eax, esi 0x00000054 push edx 0x00000055 jg 00007F1A1531EE88h 0x0000005b pop edx 0x0000005c push eax 0x0000005d pushad 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40A2B8 second address: 40A359 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F1A14C6D078h 0x0000000c popad 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D1812h], ecx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F1A14C6D078h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov bh, 0Fh 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov edi, dword ptr [ebp+122D3A88h] 0x00000044 mov eax, dword ptr [ebp+122D0245h] 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007F1A14C6D078h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 00000017h 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 pushad 0x00000065 mov edx, dword ptr [ebp+122D3768h] 0x0000006b mov ecx, dword ptr [ebp+122D20FBh] 0x00000071 popad 0x00000072 push FFFFFFFFh 0x00000074 mov dword ptr [ebp+122D18B2h], ebx 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F1A14C6D085h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40B63E second address: 40B64E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F1A1531EE8Eh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40C479 second address: 40C4F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F1A14C6D078h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edi, esi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F1A14C6D078h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D33F7h], edx 0x0000004b mov ebx, dword ptr [ebp+122D30BEh] 0x00000051 push 00000000h 0x00000053 mov ebx, dword ptr [ebp+122D38D4h] 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jnl 00007F1A14C6D07Ch 0x00000062 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E3B4 second address: 40E3CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40D637 second address: 40D651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E3CF second address: 40E428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c ja 00007F1A1531EE8Ch 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F1A1531EE88h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e xor di, B904h 0x00000033 push 00000000h 0x00000035 xor dword ptr [ebp+12443BC4h], edx 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push esi 0x00000040 pop esi 0x00000041 pushad 0x00000042 popad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E428 second address: 40E42E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E42E second address: 40E432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E432 second address: 40E441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E441 second address: 40E454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A1531EE8Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40F4B1 second address: 40F4B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E592 second address: 40E597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40E692 second address: 40E697 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 40F651 second address: 40F65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F1A1531EE86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4106EA second address: 4106F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4107BF second address: 4107C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 412642 second address: 41265F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A14C6D089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 41265F second address: 4126DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F1A1531EE88h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 add bh, FFFFFF9Ch 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D3A44h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F1A1531EE88h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov ebx, dword ptr [ebp+122D3594h] 0x00000052 mov edi, eax 0x00000054 push eax 0x00000055 push edi 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F1A1531EE90h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 41365E second address: 413662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 414582 second address: 41461A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F1A1531EE96h 0x0000000f jmp 00007F1A1531EE97h 0x00000014 popad 0x00000015 pop eax 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F1A1531EE88h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+122D1892h] 0x00000037 mov ebx, dword ptr [ebp+122D3970h] 0x0000003d mov dword ptr [ebp+122D2F47h], eax 0x00000043 push 00000000h 0x00000045 or di, 0005h 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push edi 0x0000004f call 00007F1A1531EE88h 0x00000054 pop edi 0x00000055 mov dword ptr [esp+04h], edi 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc edi 0x00000062 push edi 0x00000063 ret 0x00000064 pop edi 0x00000065 ret 0x00000066 push eax 0x00000067 push esi 0x00000068 jc 00007F1A1531EE8Ch 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4137DF second address: 4137F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 416658 second address: 41665C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 41665C second address: 41669D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F1A14C6D078h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 sbb di, DF3Bh 0x00000027 push 00000000h 0x00000029 mov ebx, dword ptr [ebp+122D3928h] 0x0000002f push 00000000h 0x00000031 add edi, 3A6EBFE4h 0x00000037 push eax 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 41669D second address: 4166A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 41485B second address: 41485F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 41485F second address: 414869 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1A1531EE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4117BB second address: 4117DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1A14C6D07Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F1A14C6D07Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4117DA second address: 4117DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4117DE second address: 4117E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4176CB second address: 4176D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4176D1 second address: 4176D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4176D5 second address: 41773D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx ebx, ax 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F1A1531EE88h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a call 00007F1A1531EE8Ah 0x0000002f adc di, 7300h 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 jmp 00007F1A1531EE8Eh 0x0000003c push eax 0x0000003d jbe 00007F1A1531EEABh 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F1A1531EE92h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4117E3 second address: 411846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 movzx ebx, cx 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F1A14C6D078h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, 261E3A53h 0x00000031 push edx 0x00000032 adc bh, 00000005h 0x00000035 pop edi 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov ebx, dword ptr [ebp+122D3A90h] 0x00000043 mov eax, dword ptr [ebp+122D114Dh] 0x00000049 add edi, dword ptr [ebp+122D195Dh] 0x0000004f push FFFFFFFFh 0x00000051 mov edi, dword ptr [ebp+122D2F71h] 0x00000057 nop 0x00000058 pushad 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 416830 second address: 4168DC instructions: 0x00000000 rdtsc 0x00000002 je 00007F1A1531EE94h 0x00000008 jmp 00007F1A1531EE8Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F1A1531EE88h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c jmp 00007F1A1531EE8Eh 0x00000031 sub bx, F06Ah 0x00000036 push dword ptr fs:[00000000h] 0x0000003d mov di, dx 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov edi, dword ptr [ebp+122D3A60h] 0x0000004d mov eax, dword ptr [ebp+122D093Dh] 0x00000053 pushad 0x00000054 cmc 0x00000055 mov ecx, 768A45ADh 0x0000005a popad 0x0000005b push FFFFFFFFh 0x0000005d push 00000000h 0x0000005f push esi 0x00000060 call 00007F1A1531EE88h 0x00000065 pop esi 0x00000066 mov dword ptr [esp+04h], esi 0x0000006a add dword ptr [esp+04h], 00000015h 0x00000072 inc esi 0x00000073 push esi 0x00000074 ret 0x00000075 pop esi 0x00000076 ret 0x00000077 xor bx, 86E7h 0x0000007c mov edi, dword ptr [ebp+122D3A70h] 0x00000082 nop 0x00000083 jo 00007F1A1531EE90h 0x00000089 pushad 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4168DC second address: 4168ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F1A14C6D076h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 417890 second address: 417894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 417894 second address: 4178AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F1A14C6D076h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F1A14C6D076h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4178AF second address: 4178B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 419F45 second address: 419F66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 419F66 second address: 419F7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 400CC5 second address: 400CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BE6B6 second address: 3BE6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BE6BD second address: 3BE6C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1A14C6D076h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BE6C9 second address: 3BE6D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1A1531EE86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BE6D9 second address: 3BE6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BE6DF second address: 3BE716 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1A1531EE96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4232B1 second address: 4232B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4232B5 second address: 4232BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 428D1B second address: 428D3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007F1A14C6D07Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 428D3E second address: 428D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F1A1531EE94h 0x0000000a pop edx 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F1A1531EE9Fh 0x00000018 jmp 00007F1A1531EE99h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 428ECE second address: 428EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F1A14C6D086h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 428EF6 second address: 428EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 428EFC second address: 428F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 428F00 second address: 428F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F1A1531EE8Dh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F1A1531EE8Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42DC4F second address: 42DC69 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1A14C6D076h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F1A14C6D07Eh 0x00000012 pushad 0x00000013 popad 0x00000014 jng 00007F1A14C6D076h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42DC69 second address: 42DC6E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D08B second address: 42D097 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D097 second address: 42D09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D09B second address: 42D0A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D0A1 second address: 42D0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D1EE second address: 42D205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F1A14C6D07Ch 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D36D second address: 42D38C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1A1531EE97h 0x00000008 jmp 00007F1A1531EE91h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D38C second address: 42D390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D390 second address: 42D394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D4C9 second address: 42D4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1A14C6D07Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D4DB second address: 42D4F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42D85C second address: 42D862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 42DADA second address: 42DAFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a js 00007F1A1531EEA4h 0x00000010 jnp 00007F1A1531EE8Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4308FD second address: 430901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 430901 second address: 430909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 438322 second address: 438328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 437193 second address: 437197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 437197 second address: 43719D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43719D second address: 4371A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4371A7 second address: 4371AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCC21 second address: 3FCC25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCC25 second address: 3E2C14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 js 00007F1A14C6D076h 0x0000001a pop eax 0x0000001b pop esi 0x0000001c nop 0x0000001d mov edi, dword ptr [ebp+122D3864h] 0x00000023 call dword ptr [ebp+122D3699h] 0x00000029 pushad 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCCCF second address: 3FCCD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCCD5 second address: 3FCCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F1A14C6D076h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCCE2 second address: 3FCD08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c jo 00007F1A1531EE8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCE21 second address: 3FCE3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F1A14C6D076h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCE3E second address: 3FCE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FCE42 second address: 3FCE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FD27D second address: 3FD2A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007F1A1531EE98h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FD2A5 second address: 3FD303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F1A14C6D07Dh 0x00000012 jmp 00007F1A14C6D082h 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jnc 00007F1A14C6D07Eh 0x00000022 pop eax 0x00000023 jp 00007F1A14C6D07Ch 0x00000029 push ED0D4F4Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FD303 second address: 3FD308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FD59D second address: 3FD5B1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1A14C6D078h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FD5B1 second address: 3FD5C9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F1A1531EE86h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDC4B second address: 3FDC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDEF7 second address: 3FDEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDEFB second address: 3FDF3D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F1A14C6D088h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F1A14C6D087h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDF3D second address: 3FDF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F1A1531EE86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDF47 second address: 3FDF5B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDFF7 second address: 3FDFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDFFC second address: 3FE002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FE002 second address: 3FE006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3E37DE second address: 3E37E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1A14C6D076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3E37E8 second address: 3E37EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4375D1 second address: 4375D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4375D6 second address: 4375EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F1A1531EEA2h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 437A33 second address: 437A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 437A39 second address: 437A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1A1531EE86h 0x0000000a popad 0x0000000b jc 00007F1A1531EE88h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1A1531EE90h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 437A60 second address: 437A70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F1A14C6D076h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 437EF4 second address: 437EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1A1531EE86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43EB56 second address: 43EB6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1A14C6D076h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e js 00007F1A14C6D082h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BCB97 second address: 3BCB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BCB9D second address: 3BCBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BCBAA second address: 3BCBAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3BCBAE second address: 3BCBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43DAEA second address: 43DB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE94h 0x00000009 jmp 00007F1A1531EE97h 0x0000000e popad 0x0000000f jmp 00007F1A1531EE97h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43DE35 second address: 43DE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43DE39 second address: 43DE58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE92h 0x00000007 jns 00007F1A1531EE86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43DFEF second address: 43DFF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43DFF5 second address: 43DFFF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1A1531EE86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43E39F second address: 43E3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F1A14C6D078h 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43E3B4 second address: 43E3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43E3BA second address: 43E3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 43E537 second address: 43E53F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443063 second address: 443071 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F1A14C6D082h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443071 second address: 443077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4431F4 second address: 44320F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D081h 0x00000007 jl 00007F1A14C6D076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443606 second address: 44360C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 44360C second address: 443614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443614 second address: 443620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1A1531EE86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443620 second address: 443625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443625 second address: 443637 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F1A1531EE86h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 443EB3 second address: 443ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D085h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4442CB second address: 4442EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE99h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F1A1531EE86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4474B8 second address: 4474CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1A14C6D07Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 44DA38 second address: 44DA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 44DA3C second address: 44DA7C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1A14C6D076h 0x00000008 jmp 00007F1A14C6D07Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1A14C6D089h 0x00000016 jmp 00007F1A14C6D07Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 451802 second address: 451818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE90h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 451390 second address: 451394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 454838 second address: 45483E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 454117 second address: 454144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1A14C6D080h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4542A1 second address: 4542A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4542A5 second address: 4542A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4542A9 second address: 4542AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4542AF second address: 4542B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 454567 second address: 454577 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F1A1531EE86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 454577 second address: 45457B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 458CDF second address: 458CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 458CE3 second address: 458CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 458CE7 second address: 458D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1A1531EE95h 0x0000000d jmp 00007F1A1531EE8Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 458D0F second address: 458D34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1A14C6D080h 0x0000000b popad 0x0000000c jne 00007F1A14C6D090h 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F1A14C6D076h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 458E81 second address: 458E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3FDA85 second address: 3FDA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1A14C6D076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 459166 second address: 459196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE96h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F1A1531EE92h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 459CD2 second address: 459CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007F1A14C6D076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 459CDE second address: 459CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 459CE4 second address: 459CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 459CEA second address: 459CF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F1A1531EE86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4600A5 second address: 4600A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4600A9 second address: 4600AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4600AD second address: 4600B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4600B3 second address: 4600C7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1A1531EE8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4600C7 second address: 4600EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4603B0 second address: 4603D9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1A1531EE86h 0x00000008 jng 00007F1A1531EE86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jmp 00007F1A1531EE96h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4603D9 second address: 4603E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4603E2 second address: 4603E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4606E6 second address: 460701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jo 00007F1A14C6D0ABh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 460701 second address: 460705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 460705 second address: 460727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1A14C6D085h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 460727 second address: 46072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4609A6 second address: 4609C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D087h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 460C57 second address: 460C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4614A3 second address: 4614A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4614A7 second address: 4614AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4614AC second address: 4614C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1A14C6D07Ch 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4614C5 second address: 4614C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 46174F second address: 461772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007F1A14C6D088h 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 461772 second address: 461778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 461A93 second address: 461A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 461A97 second address: 461AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F1A1531EE95h 0x0000000c jmp 00007F1A1531EE8Fh 0x00000011 push ecx 0x00000012 je 00007F1A1531EE86h 0x00000018 pop ecx 0x00000019 js 00007F1A1531EE8Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 46A5C2 second address: 46A5DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D083h 0x00000007 jbe 00007F1A14C6D076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 46978A second address: 469794 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1A1531EE86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469794 second address: 46979A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 46979A second address: 4697BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F1A1531EE90h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F1A1531EE96h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469919 second address: 46994B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D080h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1A14C6D07Fh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1A14C6D07Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469AF8 second address: 469B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE97h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469DB2 second address: 469DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F1A14C6D076h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469DC3 second address: 469DD4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1A1531EE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469F60 second address: 469F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469F64 second address: 469F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469F6A second address: 469F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 469F70 second address: 469F89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A1531EE95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 46A137 second address: 46A149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F1A14C6D076h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 47375D second address: 47377D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE90h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1A1531EE8Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 47377D second address: 473783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 473783 second address: 473787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471D85 second address: 471DA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D088h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471DA7 second address: 471DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471DAD second address: 471DC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Eh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471DC5 second address: 471DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471DCB second address: 471DD8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 47207A second address: 47209A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1A1531EE8Ch 0x00000008 jl 00007F1A1531EE86h 0x0000000e pushad 0x0000000f jmp 00007F1A1531EE8Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 47209A second address: 4720A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4720A6 second address: 4720AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4720AC second address: 4720B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 472208 second address: 47220E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 47220E second address: 472230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnl 00007F1A14C6D07Ch 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e jmp 00007F1A14C6D07Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 472230 second address: 472242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007F1A1531EE88h 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4723A4 second address: 4723B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1A14C6D076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4727C6 second address: 4727CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471500 second address: 471533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D082h 0x00000009 jmp 00007F1A14C6D07Eh 0x0000000e jne 00007F1A14C6D076h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F1A14C6D076h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 471533 second address: 471537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 486DEE second address: 486DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4867A0 second address: 4867B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 js 00007F1A1531EE86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4867B0 second address: 4867B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4868DF second address: 4868E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4868E5 second address: 4868FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F1A14C6D080h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48A064 second address: 48A068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48A068 second address: 48A074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48A074 second address: 48A07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48A07A second address: 48A08A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F1A14C6D076h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48C008 second address: 48C00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48C00C second address: 48C02B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D089h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48C02B second address: 48C02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48C02F second address: 48C035 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48BBA2 second address: 48BBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 48BCC2 second address: 48BD0A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F1A14C6D089h 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F1A14C6D076h 0x0000001f jmp 00007F1A14C6D085h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A1E8F second address: 4A1E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A1E94 second address: 4A1EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F1A14C6D076h 0x0000000a jmp 00007F1A14C6D07Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A2CCC second address: 4A2CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE8Ah 0x00000009 ja 00007F1A1531EE86h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A2CE1 second address: 4A2CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A5C92 second address: 4A5CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE8Dh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A9DEA second address: 4A9DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A9DEE second address: 4A9DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A9DF2 second address: 4A9DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A9DF8 second address: 4A9E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1A1531EE8Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4A9E0B second address: 4A9E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F1A14C6D084h 0x0000000d jne 00007F1A14C6D076h 0x00000013 popad 0x00000014 push edi 0x00000015 jnp 00007F1A14C6D076h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pop edx 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4AFDCE second address: 4AFDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4AFDD6 second address: 4AFDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1A14C6D076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B1BA5 second address: 4B1BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B1BAB second address: 4B1BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B1BAF second address: 4B1BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7305 second address: 4B730D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B730D second address: 4B7313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7313 second address: 4B7319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7319 second address: 4B7334 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1A1531EE8Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7334 second address: 4B733A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4CA5D9 second address: 4CA5EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F1A1531EE8Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4CA1B1 second address: 4CA1B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4CA1B7 second address: 4CA1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4CA1C0 second address: 4CA1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4CA1C6 second address: 4CA1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007F1A1531EE86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4CA1D6 second address: 4CA1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1A14C6D076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C6CE3 second address: 3C6D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1A1531EE98h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C6D00 second address: 3C6D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C6D06 second address: 3C6D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 3C6D0F second address: 3C6D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E07A3 second address: 4E07B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F1A1531EE8Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E0BEB second address: 4E0BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E0BF7 second address: 4E0C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007F1A1531EE88h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E0C04 second address: 4E0C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A14C6D07Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E0C15 second address: 4E0C1B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E11CE second address: 4E11DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007F1A14C6D076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E1495 second address: 4E14AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E45AA second address: 4E4600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A14C6D089h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, dword ptr [ebp+122D39E4h] 0x00000013 push dword ptr [ebp+122D1AF1h] 0x00000019 mov edx, dword ptr [ebp+122D3AACh] 0x0000001f call 00007F1A14C6D079h 0x00000024 push edi 0x00000025 jmp 00007F1A14C6D07Eh 0x0000002a pop edi 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f ja 00007F1A14C6D076h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E7466 second address: 4E7487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1A1531EE97h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4E8FDF second address: 4E8FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F1A14C6D082h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B603E4 second address: 4B60426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007F1A1531EE90h 0x0000000a pushfd 0x0000000b jmp 00007F1A1531EE92h 0x00000010 and ch, 00000028h 0x00000013 jmp 00007F1A1531EE8Bh 0x00000018 popfd 0x00000019 pop ecx 0x0000001a popad 0x0000001b mov edx, dword ptr [ebp+0Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B60426 second address: 4B6042A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B6042A second address: 4B6042E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B6042E second address: 4B60434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80681 second address: 4B806D0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1A1531EE8Fh 0x00000008 adc cl, FFFFFFCEh 0x0000000b jmp 00007F1A1531EE99h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 movzx ecx, dx 0x00000019 mov ax, bx 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F1A1531EE91h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B806D0 second address: 4B806DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1AEFA542h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B806DA second address: 4B80718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ecx 0x00000008 pushad 0x00000009 mov si, di 0x0000000c pushfd 0x0000000d jmp 00007F1A1531EE91h 0x00000012 sub eax, 0C2A9516h 0x00000018 jmp 00007F1A1531EE91h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80718 second address: 4B8071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B8071C second address: 4B80722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80722 second address: 4B80742 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1A14C6D084h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80742 second address: 4B80766 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1A1531EE90h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80766 second address: 4B8076C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B8076C second address: 4B807CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 pushfd 0x00000007 jmp 00007F1A1531EE98h 0x0000000c sbb cl, 00000058h 0x0000000f jmp 00007F1A1531EE8Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 lea eax, dword ptr [ebp-04h] 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F1A1531EE94h 0x00000022 sub ax, 9AB8h 0x00000027 jmp 00007F1A1531EE8Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B807CB second address: 4B807CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B807CF second address: 4B807DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B807DD second address: 4B807E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B807E1 second address: 4B807FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B807FE second address: 4B80804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80804 second address: 4B80834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1A1531EE94h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80834 second address: 4B80839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80839 second address: 4B80859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, D8A1h 0x00000011 jmp 00007F1A1531EE8Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80859 second address: 4B8086B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A14C6D07Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B8086B second address: 4B8086F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B8093C second address: 4B8096F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b mov ecx, 638EE3FDh 0x00000010 mov ecx, 63EAC2F9h 0x00000015 popad 0x00000016 leave 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1A14C6D07Bh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B8096F second address: 4B80976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80976 second address: 4B70287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 retn 0004h 0x0000000a nop 0x0000000b sub esp, 04h 0x0000000e xor ebx, ebx 0x00000010 cmp eax, 00000000h 0x00000013 je 00007F1A14C6D1DAh 0x00000019 mov dword ptr [esp], 0000000Dh 0x00000020 call 00007F1A195A9490h 0x00000025 mov edi, edi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70287 second address: 4B7028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7028B second address: 4B7029E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7029E second address: 4B702D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1A1531EE90h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B702D4 second address: 4B70328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1A14C6D086h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F1A14C6D080h 0x00000016 sub esp, 2Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1A14C6D087h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70328 second address: 4B7032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7032E second address: 4B703A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov eax, 7DBCD0FBh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F1A14C6D07Ch 0x0000001b adc ax, 8448h 0x00000020 jmp 00007F1A14C6D07Bh 0x00000025 popfd 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F1A14C6D082h 0x00000032 jmp 00007F1A14C6D085h 0x00000037 popfd 0x00000038 jmp 00007F1A14C6D080h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B703A7 second address: 4B703FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F1A1531EE96h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F1A1531EE8Eh 0x00000017 sbb esi, 207F6E98h 0x0000001d jmp 00007F1A1531EE8Bh 0x00000022 popfd 0x00000023 mov ah, BCh 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a movsx edi, cx 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B704CA second address: 4B704CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B704CE second address: 4B704D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B704D4 second address: 4B70504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F1A14C6D253h 0x0000000f jmp 00007F1A14C6D080h 0x00000014 lea ecx, dword ptr [ebp-14h] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70504 second address: 4B70508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70508 second address: 4B70568 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1A14C6D07Ah 0x00000008 add al, FFFFFF98h 0x0000000b jmp 00007F1A14C6D07Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F1A14C6D088h 0x00000019 adc cl, FFFFFFF8h 0x0000001c jmp 00007F1A14C6D07Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [ebp-14h], edi 0x00000026 pushad 0x00000027 mov dx, si 0x0000002a call 00007F1A14C6D080h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B705A0 second address: 4B705B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A1531EE91h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B705F1 second address: 4B70608 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70608 second address: 4B7060E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7060E second address: 4B70612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70612 second address: 4B7062F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F1A8624CCEFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7062F second address: 4B70633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70633 second address: 4B70637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70637 second address: 4B7063D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7063D second address: 4B7066C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 2FF6F86Fh 0x00000008 mov ebx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d js 00007F1A1531EEFFh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1A1531EE98h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7066C second address: 4B7067B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7067B second address: 4B706D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 516Ah 0x00000007 pushfd 0x00000008 jmp 00007F1A1531EE8Bh 0x0000000d xor esi, 2D293A0Eh 0x00000013 jmp 00007F1A1531EE99h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c cmp dword ptr [ebp-14h], edi 0x0000001f pushad 0x00000020 mov dl, ah 0x00000022 popad 0x00000023 jne 00007F1A8624CC69h 0x00000029 jmp 00007F1A1531EE8Bh 0x0000002e mov ebx, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B706D2 second address: 4B706D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B706D6 second address: 4B706F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B706F1 second address: 4B7072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c jmp 00007F1A14C6D07Eh 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 mov ecx, 104B1B8Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a mov si, D3AFh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7072C second address: 4B70786 instructions: 0x00000000 rdtsc 0x00000002 call 00007F1A1531EE94h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ecx, 7A81646Dh 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 jmp 00007F1A1531EE8Fh 0x00000019 nop 0x0000001a jmp 00007F1A1531EE96h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F1A1531EE8Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70786 second address: 4B707C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 2544h 0x00000007 mov edx, 436551B0h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx eax, bx 0x00000016 pushfd 0x00000017 jmp 00007F1A14C6D07Dh 0x0000001c add ch, 00000036h 0x0000001f jmp 00007F1A14C6D081h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B707C0 second address: 4B70817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1A1531EE97h 0x00000008 jmp 00007F1A1531EE98h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F1A1531EE90h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1A1531EE8Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70868 second address: 4B7001D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1A14C6D07Ah 0x00000010 add cx, 0508h 0x00000015 jmp 00007F1A14C6D07Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F1A14C6D088h 0x00000021 add ah, 00000068h 0x00000024 jmp 00007F1A14C6D07Bh 0x00000029 popfd 0x0000002a popad 0x0000002b test esi, esi 0x0000002d pushad 0x0000002e mov edi, esi 0x00000030 mov bh, al 0x00000032 popad 0x00000033 je 00007F1A85B9AE0Ch 0x00000039 xor eax, eax 0x0000003b jmp 00007F1A14C467AAh 0x00000040 pop esi 0x00000041 pop edi 0x00000042 pop ebx 0x00000043 leave 0x00000044 retn 0004h 0x00000047 nop 0x00000048 sub esp, 04h 0x0000004b mov esi, eax 0x0000004d xor ebx, ebx 0x0000004f cmp esi, 00000000h 0x00000052 je 00007F1A14C6D1B5h 0x00000058 call 00007F1A195A90BCh 0x0000005d mov edi, edi 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F1A14C6D087h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7001D second address: 4B70021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70021 second address: 4B70027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70027 second address: 4B70059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 4681h 0x00000007 pushfd 0x00000008 jmp 00007F1A1531EE8Eh 0x0000000d sub esi, 609DB598h 0x00000013 jmp 00007F1A1531EE8Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70059 second address: 4B7005D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B7005D second address: 4B70061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70061 second address: 4B70067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70067 second address: 4B700FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1A1531EE98h 0x00000009 sub ch, 00000028h 0x0000000c jmp 00007F1A1531EE8Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F1A1531EE98h 0x00000018 adc eax, 04916988h 0x0000001e jmp 00007F1A1531EE8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov bh, ch 0x0000002d pushfd 0x0000002e jmp 00007F1A1531EE97h 0x00000033 add si, 467Eh 0x00000038 jmp 00007F1A1531EE99h 0x0000003d popfd 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B700FE second address: 4B70123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1A14C6D07Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70123 second address: 4B70162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F1A1531EE8Eh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1A1531EE97h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70162 second address: 4B701BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1A14C6D07Ah 0x00000013 and ecx, 677507C8h 0x00000019 jmp 00007F1A14C6D07Bh 0x0000001e popfd 0x0000001f call 00007F1A14C6D088h 0x00000024 pop ecx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B701BA second address: 4B701D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1A1531EE92h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B701D7 second address: 4B70212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], 55534552h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F1A14C6D082h 0x00000019 xor ch, FFFFFFE8h 0x0000001c jmp 00007F1A14C6D07Bh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70C87 second address: 4B70C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70C8D second address: 4B70CAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop ecx 0x00000015 push edi 0x00000016 pop eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70CAE second address: 4B70CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F1A8623CBCFh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov al, E9h 0x00000013 mov edi, 2816C204h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70DD5 second address: 4B70DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70DD9 second address: 4B70DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70DDD second address: 4B70DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B70E38 second address: 4B70E92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F1A1531EE93h 0x00000014 or eax, 1B7074DEh 0x0000001a jmp 00007F1A1531EE99h 0x0000001f popfd 0x00000020 mov di, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B809C1 second address: 4B80A01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1A14C6D07Ah 0x00000009 jmp 00007F1A14C6D085h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], ebp 0x00000015 jmp 00007F1A14C6D07Eh 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80A01 second address: 4B80A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80A05 second address: 4B80A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80ADB second address: 4B80ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80ADF second address: 4B80AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80AE3 second address: 4B80AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80AE9 second address: 4B80B85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1A14C6D088h 0x00000009 adc ecx, 6CFF6EF8h 0x0000000f jmp 00007F1A14C6D07Bh 0x00000014 popfd 0x00000015 call 00007F1A14C6D088h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e je 00007F1A85B929DAh 0x00000024 jmp 00007F1A14C6D081h 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b call 00007F1A14C6D07Ch 0x00000030 call 00007F1A14C6D082h 0x00000035 pop esi 0x00000036 pop edx 0x00000037 mov cx, 0DE7h 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F1A14C6D07Fh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80B85 second address: 4B80BA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80C05 second address: 4B80C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80C0B second address: 4B80C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80C0F second address: 4B80C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80C13 second address: 4B80C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w22319us3M.exe	RDTSC instruction interceptor: First address: 4B80C22 second address: 4B80C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: E0028C second address: E0029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6F48C second address: F6F4A0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1A14C6D076h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F1A14C6D076h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6F4A0 second address: F6F4A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6F4A6 second address: F6F4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6F4B0 second address: F6F4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E373 second address: F6E381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1A14C6D076h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E381 second address: F6E3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1A1531EE86h 0x0000000a jo 00007F1A1531EE86h 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007F1A1531EE8Dh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E68E second address: F6E694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E694 second address: F6E69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E69B second address: F6E6A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E9AE second address: F6E9B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F6E9B2 second address: F6E9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F712C4 second address: F712CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F7131F second address: F71335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1A14C6D082h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F71335 second address: F713AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, dword ptr [ebp+122D2E30h] 0x00000014 mov si, 5C43h 0x00000018 push 00000000h 0x0000001a mov cx, dx 0x0000001d push B11A336Eh 0x00000022 jng 00007F1A1531EE8Ah 0x00000028 add dword ptr [esp], 4EE5CD12h 0x0000002f mov dword ptr [ebp+122D396Fh], ecx 0x00000035 push 00000003h 0x00000037 mov ecx, 5C1D556Dh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007F1A1531EE88h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 push 00000003h 0x0000005a or dword ptr [ebp+122D396Fh], eax 0x00000060 push BEE8A553h 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F713AD second address: F713B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F713B3 second address: F713B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F713B8 second address: F713F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 7EE8A553h 0x0000000f or dword ptr [ebp+122D396Fh], edi 0x00000015 stc 0x00000016 lea ebx, dword ptr [ebp+12445213h] 0x0000001c push edx 0x0000001d jmp 00007F1A14C6D085h 0x00000022 pop edi 0x00000023 mov si, 3727h 0x00000027 xchg eax, ebx 0x00000028 jnc 00007F1A14C6D07Eh 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F71612 second address: F71616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F71616 second address: F7161C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F7161C second address: F71666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F1A1531EE97h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1A1531EE95h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F71666 second address: F71676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F71676 second address: F716A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F1A1531EE96h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1A1531EE8Dh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F716A7 second address: F716B1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1A14C6D076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F716B1 second address: F7172D instructions: 0x00000000 rdtsc 0x00000002 js 00007F1A1531EE8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b or dword ptr [ebp+122D1EB7h], esi 0x00000011 push 00000003h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F1A1531EE88h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov edi, 73BC2FB1h 0x00000032 push 00000000h 0x00000034 xor dword ptr [ebp+122D2F80h], edi 0x0000003a push 00000003h 0x0000003c ja 00007F1A1531EE8Eh 0x00000042 mov ecx, ebx 0x00000044 call 00007F1A1531EE89h 0x00000049 push edx 0x0000004a push esi 0x0000004b jmp 00007F1A1531EE8Ah 0x00000050 pop esi 0x00000051 pop edx 0x00000052 push eax 0x00000053 pushad 0x00000054 je 00007F1A1531EE88h 0x0000005a pushad 0x0000005b popad 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F7172D second address: F71747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jbe 00007F1A14C6D088h 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F1A14C6D076h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90586 second address: F905AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F1A1531EE98h 0x0000000c jg 00007F1A1531EE86h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F906CB second address: F906D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F906D1 second address: F906EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F1A1531EE86h 0x0000000a jmp 00007F1A1531EE8Fh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F906EA second address: F9072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F1A14C6D07Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1A14C6D089h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9072C second address: F9073E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE8Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9073E second address: F90744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90744 second address: F90757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F1A1531EE86h 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F1A1531EE86h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F908B4 second address: F908C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1A14C6D076h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90A1E second address: F90A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1A1531EE86h 0x0000000a popad 0x0000000b jc 00007F1A1531EE92h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90A31 second address: F90A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1A14C6D076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90A3B second address: F90A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90A41 second address: F90A9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007F1A14C6D07Ch 0x00000012 jno 00007F1A14C6D076h 0x00000018 jnp 00007F1A14C6D07Eh 0x0000001e jmp 00007F1A14C6D07Dh 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F1A14C6D081h 0x0000002a jmp 00007F1A14C6D082h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90D6E second address: F90D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90D74 second address: F90D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90D7F second address: F90D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90D83 second address: F90D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F1A14C6D07Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F90EE5 second address: F90EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F89523 second address: F8953D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F1A14C6D082h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F8953D second address: F89543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F89543 second address: F8954B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F91AD9 second address: F91AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE8Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F91AEC second address: F91AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F91C7D second address: F91CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b jo 00007F1A1531EE86h 0x00000011 popad 0x00000012 jbe 00007F1A1531EE8Ch 0x00000018 popad 0x00000019 jc 00007F1A1531EE9Eh 0x0000001f jnp 00007F1A1531EE88h 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F91CAE second address: F91CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F91E2D second address: F91E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F966B0 second address: F966CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A14C6D07Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F1A14C6D07Eh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9E397 second address: F9E3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE8Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9E3A9 second address: F9E3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9E3B5 second address: F9E3C5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1A1531EE86h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9E3C5 second address: F9E3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F630BF second address: F630C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9D768 second address: F9D774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1A14C6D076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9D774 second address: F9D788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1A1531EE8Bh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9D788 second address: F9D78C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9D907 second address: F9D90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9D90D second address: F9D91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F1A14C6D076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9DA75 second address: F9DAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1A1531EE93h 0x00000009 pop edx 0x0000000a jmp 00007F1A1531EE8Dh 0x0000000f jmp 00007F1A1531EE8Dh 0x00000014 push esi 0x00000015 jmp 00007F1A1531EE97h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9DC40 second address: F9DC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9DC44 second address: F9DC70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1A1531EE98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F1A1531EE88h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9DC70 second address: F9DC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9DC74 second address: F9DC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	RDTSC instruction interceptor: First address: F9E1E3 second address: F9E1E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\w22319us3M.exe	Special instruction interceptor: First address: 258BE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w22319us3M.exe	Special instruction interceptor: First address: 258CB9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w22319us3M.exe	Special instruction interceptor: First address: 258C1C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w22319us3M.exe	Special instruction interceptor: First address: 41E99A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w22319us3M.exe	Special instruction interceptor: First address: 3FCD78 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w22319us3M.exe	Special instruction interceptor: First address: 47EB45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Special instruction interceptor: First address: DFFA78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Special instruction interceptor: First address: DFFBB8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Special instruction interceptor: First address: F97213 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Special instruction interceptor: First address: FBC5A5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Special instruction interceptor: First address: 80ED79 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Special instruction interceptor: First address: 80ECF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Special instruction interceptor: First address: A37579 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B3ED79 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B3ECF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: D67579 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Special instruction interceptor: First address: 38ED79 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Special instruction interceptor: First address: 38ECF2 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Special instruction interceptor: First address: 5B7579 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Special instruction interceptor: First address: AA1BD7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Special instruction interceptor: First address: C545AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Special instruction interceptor: First address: CD7DFE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Special instruction interceptor: First address: 81CD24 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Special instruction interceptor: First address: 9B93D2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Special instruction interceptor: First address: 9BE797 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Special instruction interceptor: First address: A44575 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Special instruction interceptor: First address: 138D58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Special instruction interceptor: First address: 13665E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Special instruction interceptor: First address: 2F48C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Special instruction interceptor: First address: 3743DD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Special instruction interceptor: First address: 87FA78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Special instruction interceptor: First address: 87FBB8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Special instruction interceptor: First address: A17213 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Special instruction interceptor: First address: A3C5A5 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Memory allocated: CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Memory allocated: 25B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Memory allocated: 1600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Memory allocated: 52A0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\w22319us3M.exe

Code function: 0_3_00CB02FC sldt word ptr [eax]

0_3_00CB02FC

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599187
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598859
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598311
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598090
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597983
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597863
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596850
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596732
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596624
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596438
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596311
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596202
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596093
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595546
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595326
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595098
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594641
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594422
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 382	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 2060	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 400	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 416	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 4618	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 397	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 405	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Window / User API: threadDelayed 792	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 980
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1015
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 520
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1031
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 962
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1053
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Window / User API: threadDelayed 5328
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Window / User API: threadDelayed 4177
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7106
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2633
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2892
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window / User API: threadDelayed 1264
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window / User API: threadDelayed 1192
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window / User API: threadDelayed 1246
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window / User API: threadDelayed 1242
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window / User API: threadDelayed 1215
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Window / User API: threadDelayed 1187

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\mfcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\soft[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\mfcm90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\win32event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\win32process.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\python27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\mfc90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\mpc\41678903251236549780	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1024342001\540b6da6f6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI46762\bz2.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\w22319us3M.exe TID: 4256	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe TID: 7080	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe TID: 3936	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1848	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1848	Thread sleep time: -80040s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 3528	Thread sleep count: 382 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 3528	Thread sleep time: -764382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 3060	Thread sleep count: 2060 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 3060	Thread sleep time: -4122060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 320	Thread sleep count: 400 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 320	Thread sleep time: -800400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1292	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1252	Thread sleep count: 416 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1252	Thread sleep time: -832416s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1960	Thread sleep count: 4618 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1960	Thread sleep time: -9240618s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1100	Thread sleep count: 397 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1100	Thread sleep time: -794397s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 7140	Thread sleep count: 405 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 7140	Thread sleep time: -810405s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1960	Thread sleep count: 792 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe TID: 1960	Thread sleep time: -1584792s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7372	Thread sleep count: 980 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7372	Thread sleep time: -1960980s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2792	Thread sleep count: 1015 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2792	Thread sleep time: -2031015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7284	Thread sleep count: 520 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7284	Thread sleep time: -1040520s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3732	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7300	Thread sleep count: 331 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7300	Thread sleep time: -9930000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4856	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5080	Thread sleep count: 1031 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5080	Thread sleep time: -2063031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6424	Thread sleep count: 962 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6424	Thread sleep time: -1924962s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7280	Thread sleep count: 1053 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7280	Thread sleep time: -2107053s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 7180	Thread sleep count: 5328 > 30
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 7180	Thread sleep count: 4177 > 30
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -599078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -598090s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597983s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597863s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596850s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596732s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596624s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596202s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -596093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595326s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -595098s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -594859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -594750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -594641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -594531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe TID: 3628	Thread sleep time: -594422s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep count: 6874 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5768	Thread sleep count: 2892 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7032	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe TID: 6476	Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe TID: 6580	Thread sleep time: -30000s >= -30000s
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe TID: 5304	Thread sleep count: 245 > 30
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe TID: 7504	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe TID: 7068	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8136	Thread sleep count: 1264 > 30
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8136	Thread sleep time: -2529264s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 4852	Thread sleep count: 1192 > 30
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 4852	Thread sleep time: -2385192s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 7000	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8156	Thread sleep count: 1246 > 30
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8156	Thread sleep time: -2493246s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8128	Thread sleep count: 1242 > 30
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8128	Thread sleep time: -2485242s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 3852	Thread sleep count: 1215 > 30
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 3852	Thread sleep time: -2431215s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8152	Thread sleep count: 1187 > 30
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe TID: 8152	Thread sleep time: -2375187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe TID: 7720	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe TID: 7620	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe TID: 6064	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\w22319us3M.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C4EEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

3_2_6C4EEBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599187
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598859
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598311
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 598090
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597983
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597863
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596850
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596732
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596624
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596438
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596311
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596202
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 596093
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595546
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595326
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 595098
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594641
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Thread delayed: delay time: 594422
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 86e84e5515.exe, 00000019.00000003.3060029701.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: w22319us3M.exe, 00000000.00000003.2342041894.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000010.00000002.4709077916.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000010.00000002.4709077916.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251313145.000000000076C000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.000000000076C000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.000000000079E000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251313145.000000000079E000.00000004.00000020.00020000.00000000.sdmp, kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.0000000000253000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: &VBoxService.exe
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 3237c2ad29.exe, 00000021.00000002.3575167111.00000000044DA000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000002.3654697563.0000000005D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: TQIFFJWDXOOLJHSZWIJGHLFZSRRETBPLSYFHXWBHTJHGFSDRIKEBZBLHLJNORSKWY
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 59c9193d17.exe, 0000001E.00000003.4404843636.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4418339450.0000000000668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf=
Source: 4ee1ae93b7.exe, 00000020.00000003.4422248892.00000000056A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 86e84e5515.exe, 00000019.00000003.3060029701.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3030582482.0000000000F76000.00000040.00000001.01000000.00000006.sdmp, C2XE6J33GF4A861OXJC15F1M3NC83Q.exe, 00000004.00000002.2563646333.000000000098D000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000009.00000002.2592959531.0000000000CBD000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 0000000A.00000002.2621714558.0000000000CBD000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 00000010.00000002.4676572265.0000000000CBD000.00000040.00000001.01000000.0000000C.sdmp, KFHJJJKKFH.exe, 0000001C.00000002.3078607465.000000000050D000.00000040.00000001.01000000.00000013.sdmp, ecc27e013f.exe, 0000001F.00000002.3427279208.0000000000C2B000.00000040.00000001.01000000.00000016.sdmp, 4ee1ae93b7.exe, 00000020.00000002.4668502921.0000000000998000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: OiMp3TH.exe, 00000011.00000002.4676690011.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1d
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: ecc27e013f.exe, 0000001F.00000003.3363387925.0000000001663000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363351203.000000000165E000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3529390805.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363763677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld": 2096 }, { "name": "svchost.exe", "pid": 2152 }, { "name": "svchost.exe", "pid": 2188 }, { "name": "svchost.exe", "pid": 2204 }, { "name": "svchost.exe", "pid": 2240 }, { "name": "svchost.exe", "pid": 2392 }, { "name": "svchost.exe", "pid": 2400 }, { "name": "svchost.exe", "pid": 2440 }, { "name": "OfficeClickToRun.exe", "pid": 2484 }, { "name": "svchost.exe", "pid": 2492 }, { "name": "svchost.exe", "pid": 2528 }, { "name": "svchost.exe", "pid": 258
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: ecc27e013f.exe, 0000001F.00000003.3254455789.0000000001601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ecc27e013f.exe, 0000001F.00000003.3256135701.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}eb554bf558c26852442306703\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: 3237c2ad29.exe, 00000023.00000002.3878209196.00000000013DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.0000000000253000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: VBoxService.exe
Source: ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.000000000039D000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.000000000039D000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.0000000000253000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: VMWare
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3080621815.000000000039D000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3030582482.0000000000F76000.00000040.00000001.01000000.00000006.sdmp, C2XE6J33GF4A861OXJC15F1M3NC83Q.exe, 00000004.00000002.2563646333.000000000098D000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000009.00000002.2592959531.0000000000CBD000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 0000000A.00000002.2621714558.0000000000CBD000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 00000010.00000002.4676572265.0000000000CBD000.00000040.00000001.01000000.0000000C.sdmp, KFHJJJKKFH.exe, 0000001C.00000002.3078607465.000000000050D000.00000040.00000001.01000000.00000013.sdmp, ecc27e013f.exe, 0000001F.00000002.3427279208.0000000000C2B000.00000040.00000001.01000000.00000016.sdmp, 4ee1ae93b7.exe, 00000020.00000002.4668502921.0000000000998000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 86e84e5515.exe, 00000019.00000003.3060307557.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\w22319us3M.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\w22319us3M.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\w22319us3M.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Thread information set: HideFromDebugger
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Thread information set: HideFromDebugger
Source: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\w22319us3M.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\KFHJJJKKFH.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C5BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6C5BAC62

Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C5BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6C5BAC62

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Memory written: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Memory written: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: w22319us3M.exe, 00000000.00000003.2040295449.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mindhandru.buzz
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: 86e84e5515.exe, 00000017.00000002.2980765503.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: 59c9193d17.exe, 0000001E.00000002.4416456112.00000000005E0000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: fieldhitty.click

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KFHJJJKKFH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe "C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe "C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe "C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe "C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe "C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe "C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\cgjxdgffc'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Process created: C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe "C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe"
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Process created: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe "C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KFHJJJKKFH.exe "C:\Users\user\Documents\KFHJJJKKFH.exe"
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Process created: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe "C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Process created: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe "C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C604760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

3_2_6C604760

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C4E1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

3_2_6C4E1C30

Source: GCIPC88T1V3Y5G2CGGZMZF.exe, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3030994737.0000000000FBA000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: bProgram Manager
Source: C2XE6J33GF4A861OXJC15F1M3NC83Q.exe, 00000004.00000002.2567082413.00000000009D1000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000009.00000002.2593346718.0000000000D01000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 0000000A.00000002.2622070590.0000000000D01000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Program Manager
Source: ecc27e013f.exe, 0000001F.00000002.3427279208.0000000000C2B000.00000040.00000001.01000000.00000016.sdmp, 4ee1ae93b7.exe, 00000020.00000002.4668502921.0000000000998000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C5BAE71 cpuid

3_2_6C5BAE71

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\w22319us3M.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024342001\540b6da6f6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024342001\540b6da6f6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\_socket.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\_hashlib.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\l9iqgq VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\l9iqgq VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\win32api.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmprx3bym\gen_py\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmprx3bym\gen_py\dicts.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\win32event.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\select.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\unicodedata.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\_tkinter.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI46762\tcl\encoding VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C5BA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6C5BA8DC

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Code function: 3_2_6C508390 NSS_GetVersion,

3_2_6C508390

Source: C:\Users\user\Desktop\w22319us3M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: procmon.exe
Source: ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: wireshark.exe
Source: w22319us3M.exe, 00000000.00000003.2205357517.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2205589327.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2204913673.000000000554E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2205500259.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\w22319us3M.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.skotes.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.KFHJJJKKFH.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.skotes.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.skotes.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.C2XE6J33GF4A861OXJC15F1M3NC83Q.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2548648752.00000000007A1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4670882680.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3071803296.0000000000321000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2592560272.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w22319us3M.exe PID: 4980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86e84e5515.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3237c2ad29.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: 35.2.3237c2ad29.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.3237c2ad29.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.45ecf38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3575167111.00000000044DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 33.2.3237c2ad29.exe.42fb8f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.3237c2ad29.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.42fb8f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 44.2.525f5f9628.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.4575330103.0000000000631000.00000040.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3027431904.0000000000BB1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4580749981.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: w22319us3M.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t"
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: w22319us3M.exe, 00000000.00000003.2204913673.000000000555F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx LibertyMYsr
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jax
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"]b
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"]b
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: w22319us3M.exe, 00000000.00000003.2172366560.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: et\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\w22319us3M.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY
Source: C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS

Source: Yara match	File source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3878868238.000000000142B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.4575525882.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: w22319us3M.exe PID: 4980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86e84e5515.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3237c2ad29.exe PID: 7784, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w22319us3M.exe PID: 4980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86e84e5515.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3237c2ad29.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: 35.2.3237c2ad29.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.3237c2ad29.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.45ecf38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3575167111.00000000044DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3877590172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 33.2.3237c2ad29.exe.42fb8f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.3237c2ad29.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.3237c2ad29.exe.42fb8f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 44.2.525f5f9628.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.GCIPC88T1V3Y5G2CGGZMZF.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.4575330103.0000000000631000.00000040.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3027431904.0000000000BB1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4580749981.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: GCIPC88T1V3Y5G2CGGZMZF.exe PID: 3812, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: 33.2.3237c2ad29.exe.42c39b8.2.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C0C40 sqlite3_bind_zeroblob,	3_2_6C5C0C40
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C0D60 sqlite3_bind_parameter_name,	3_2_6C5C0D60
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E8EA0 sqlite3_clear_bindings,	3_2_6C4E8EA0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C5C0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6C5C0B40
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E6410 bind,WSAGetLastError,	3_2_6C4E6410
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4EC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	3_2_6C4EC050
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E6070 PR_Listen,	3_2_6C4E6070
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4EC030 sqlite3_bind_parameter_count,	3_2_6C4EC030
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E60B0 listen,WSAGetLastError,	3_2_6C4E60B0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4722D0 sqlite3_bind_blob,	3_2_6C4722D0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E63C0 PR_Bind,	3_2_6C4E63C0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E9400 sqlite3_bind_int64,	3_2_6C4E9400
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E94C0 sqlite3_bind_text,	3_2_6C4E94C0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E94F0 sqlite3_bind_text16,	3_2_6C4E94F0
Source: C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	Code function: 3_2_6C4E9480 sqlite3_bind_null,	3_2_6C4E9480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	111 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Extra Window Memory Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	211 Registry Run Keys / Startup Folder	112 Process Injection	4 Obfuscated Files or Information	Security Account Manager	249 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Scheduled Task/Job	13 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	211 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1061 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	471 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
w22319us3M.exe	63%	ReversingLabs	Win32.Trojan.Generic
w22319us3M.exe	100%	Avira	TR/Crypt.XPACK.Gen
w22319us3M.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OiMp3TH[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OiMp3TH[1].exe	18%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	57%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	39%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\soft[1]	75%	ReversingLabs	ByteCode-MSIL.Trojan.Malgent
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dll[1]	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe	18%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe	39%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\1024339001\624913e255.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe	57%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Bunifu_UI_v1.5.3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Y5GDD24dF3WS31fzZ\Y-Cleaner.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.Malgent
C:\Users\user\AppData\Local\Temp\_MEI46762\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\_tkinter.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\_win32sysloader.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\mfc90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\mfc90u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\mfcm90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\mfcm90u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\mpc\41678903251236549780	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\msvcm90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\msvcp90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\msvcr90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\python27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\pythoncom27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\pywintypes27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\tcl85.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\tk85.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI46762\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://pancakedipyps.click/api&C	100%	Avira URL Cloud	malware
https://hummskitnj.buzz/	100%	Avira URL Cloud	malware
http://31.41.244.11/files/6151862750/OiMp3TH.exeXYZ0123456789	0%	Avira URL Cloud	safe
http://185.156.73.23/files/download43	0%	Avira URL Cloud	safe
http://185.215.113.206/c4becf79229cb002.php84N	100%	Avira URL Cloud	malware
https://hummskitnj.buzz/uo	100%	Avira URL Cloud	malware
http://specs.openid.net/extensions/ui/1.0/mode/popup	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0M	0%	Avira URL Cloud	safe
https://mindhandru.buzz/e8M	100%	Avira URL Cloud	malware
https://mindhandru.buzz/apiQmW3	100%	Avira URL Cloud	malware
https://pancakedipyps.click/6C	100%	Avira URL Cloud	malware
http://185.215.113.16/luma/random.exe:	0%	Avira URL Cloud	safe
https://pancakedipyps.click/apiN	100%	Avira URL Cloud	malware
http://31.41.244.11/files/nsx/random.exe	100%	Avira URL Cloud	phishing
http://185.215.113.206/c4becf79229cb002.php----GV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn	100%	Avira URL Cloud	malware
https://hummskitnj.buzz/d	100%	Avira URL Cloud	malware
https://parquedelriovaldivia.cl/A	0%	Avira URL Cloud	safe
http://185.215.113.16/well/random.exee1395d71	0%	Avira URL Cloud	safe
http://185.215.113.206oM	0%	Avira URL Cloud	safe
http://185.215.113.206/68b591d6548ec281/nss3.dlllS	100%	Avira URL Cloud	malware
http://31.41.244.11/files/kardanvalov88/random.exeR	0%	Avira URL Cloud	safe
http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/	0%	Avira URL Cloud	safe
https://hummskitnj.buzz/api	100%	Avira URL Cloud	malware
http://185.215.113.206/68b591d6548ec281/sqlite3.dllcA.n	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.php/x	100%	Avira URL Cloud	malware
https://parquedelriovaldivia.cl/	0%	Avira URL Cloud	safe
http://31.41.244.11/files/martin/random.exe#	100%	Avira URL Cloud	malware
https://fieldhitty.click/	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse	0%	Avira URL Cloud	safe
http://185.215.113.206/c4becf79229cb002.phpSxS	100%	Avira URL Cloud	malware
http://crl.microP8	0%	Avira URL Cloud	safe
https://mindhandru.buzz/api2LiK	100%	Avira URL Cloud	malware
https://hummskitnj.buzz:443/api	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.php2001	100%	Avira URL Cloud	malware
http://185.215.113.16/we	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4	0%	Avira URL Cloud	safe
http://31.41.244.11/files/kardanvalov88/random.exeuNko/index.phpS	0%	Avira URL Cloud	safe
https://hummskitnj.buzz/apisk	100%	Avira URL Cloud	malware

Name	Malicious	Reputation
aspecteirs.lat	false	high
energyaffai.lat	false	high
grannyejh.lat	false	high
necklacebudi.lat	false	high
crosshuaht.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://specs.openid.net/extensions/ui/1.0/mode/popup	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hummskitnj.buzz/uo	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B20000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/api&C	86e84e5515.exe, 00000019.00000003.3134583009.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3134679618.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://hummskitnj.buzz/	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://31.41.244.11/files/6151862750/OiMp3TH.exeXYZ0123456789	skotes.exe, 00000010.00000002.4709077916.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mindhandru.buzz/apiQmW3	w22319us3M.exe, 00000000.00000003.2163516127.0000000005559000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2165024692.0000000005559000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://mindhandru.buzz/e8M	w22319us3M.exe, 00000000.00000003.2194727360.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2164465296.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2165143831.0000000005569000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2172864986.0000000005569000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://specs.openid.net/auth/2.0$dnoa.request_nonce	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://185.156.73.23/files/download43	4ee1ae93b7.exe, 00000020.00000002.4676302235.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.php84N	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.206/68b591d6548ec281/nss3.dll	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0M	ecc27e013f.exe, 0000001F.00000003.3363387925.0000000001663000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363351203.000000000165E000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3529390805.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363763677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0	ecc27e013f.exe, 0000001F.00000003.3363387925.0000000001663000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363351203.000000000165E000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3529390805.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363763677.0000000001666000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/api	w22319us3M.exe, 00000000.00000003.2219190464.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OiMp3TH.exe, 00000011.00000002.4682579427.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/6C	86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://31.41.244.11/files/nsx/random.exe	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.215.113.16/luma/random.exe:	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pancakedipyps.click/apiN	86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php----GV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	true	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/martin/random.exe	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hummskitnj.buzz/d	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.16/well/random.exee1395d71	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/ipbefore	ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high
https://lev-tolstoi.com/api	3237c2ad29.exe, 00000023.00000002.3879091111.0000000001478000.00000004.00000020.00020000.00000000.sdmp, 3237c2ad29.exe, 00000023.00000002.3879169239.000000000148E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206oM	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://openid.net/sreg/1.05http://openid.net/sreg/1.1	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://specs.openid.net/extensions/oauth/1.0	3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2896813380.000000000BF98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe	OiMp3TH.exe, 00000011.00000002.4682579427.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/nss3.dlllS	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpF	skotes.exe, 00000010.00000002.4709077916.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpp	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	false		high
https://parquedelriovaldivia.cl/A	3237c2ad29.exe, 00000023.00000002.3880985272.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/sqlite3.dllcA.n	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://31.41.244.11/files/kardanvalov88/random.exeR	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hummskitnj.buzz/api	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	w22319us3M.exe, 00000000.00000003.2134549360.0000000005589000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3097724202.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/mozglue.dll	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001563000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php/x	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	86e84e5515.exe, 00000019.00000003.3106422824.000000000316C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high
https://parquedelriovaldivia.cl/	3237c2ad29.exe, 00000023.00000002.3880985272.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://31.41.244.11/files/martin/random.exe#	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fieldhitty.click/	59c9193d17.exe, 0000001E.00000003.4404843636.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000002.4418339450.0000000000640000.00000004.00000020.00020000.00000000.sdmp, 59c9193d17.exe, 0000001E.00000003.4404843636.0000000000640000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.php/	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse	ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://namespace.google.com/openid/xmlns	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	w22319us3M.exe, 00000000.00000003.2086211935.000000000550E000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086359735.000000000550B000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2086278303.000000000550B000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000003.2599657456.000000000159B000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3032253355.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031616263.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3031825047.0000000002E78000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpSxS	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3027431904.0000000000C34000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/steam/random.exe	w22319us3M.exe, 00000000.00000003.2342041894.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exe2	w22319us3M.exe, 00000000.00000003.2341914882.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.openid.net/pape/policies/2007/06/phishing-resistantxhttp://schemas.openid.net/pape/po	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://crl.microP8	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	ecc27e013f.exe, 0000001F.00000003.3226561251.00000000073B0000.00000004.00001000.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high
http://185.215.113.16/	w22319us3M.exe, 00000000.00000003.2341914882.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17	ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hummskitnj.buzz:443/api	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	w22319us3M.exe, 00000000.00000003.2141076975.000000000555A000.00000004.00000800.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3041322502.000000000BD20000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.00000000015C2000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3107123294.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.php2001	skotes.exe, 00000010.00000002.4709077916.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4	ecc27e013f.exe, 0000001F.00000002.3512046340.0000000001604000.00000004.00000020.00020000.00000000.sdmp, ecc27e013f.exe, 0000001F.00000003.3363489418.0000000001601000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1Pz8p7	4ee1ae93b7.exe, 00000020.00000003.4397814234.0000000005612000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4393904263.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4395509476.000000000594F000.00000004.00000020.00020000.00000000.sdmp, 4ee1ae93b7.exe, 00000020.00000003.4397575314.0000000005671000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/we	w22319us3M.exe, 00000000.00000003.2341914882.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpp	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://specs.openid.net/extensions/ui/1.0/icon	3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/softokn3.dll	GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001548000.00000004.00000020.00020000.00000000.sdmp, GCIPC88T1V3Y5G2CGGZMZF.exe, 00000003.00000002.3032740803.0000000001530000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/api2LiK	w22319us3M.exe, 00000000.00000003.2133913855.0000000005558000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2139392141.000000000555F000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2134157737.000000000555F000.00000004.00000800.00020000.00000000.sdmp, w22319us3M.exe, 00000000.00000003.2141076975.000000000555F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://31.41.244.11/files/kardanvalov88/random.exeuNko/index.phpS	skotes.exe, 00000010.00000002.4709077916.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://openid.net/xmlns/1.09http://openid.net/signon/1.0	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical	3237c2ad29.exe, 00000021.00000002.3575167111.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 3237c2ad29.exe, 00000021.00000000.3379996270.0000000000EF2000.00000002.00000001.01000000.00000018.sdmp	false		high
https://pancakedipyps.click/	86e84e5515.exe, 00000019.00000003.3184621897.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3165689717.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3059738732.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3241100784.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3250194297.000000000079E000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000003.3059682313.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251313145.000000000079E000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251609546.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, 86e84e5515.exe, 00000019.00000002.3251662411.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hummskitnj.buzz/apisk	kqafnifqcv_638708865856767870.exe, 0000001D.00000002.3081940787.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://curl.se/docs/hsts.html	ecc27e013f.exe, 0000001F.00000002.3373287467.0000000000931000.00000040.00000001.01000000.00000016.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.217.19.227	unknown	United States	15169	GOOGLEUS	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
50.31.176.165	unknown	United States	23352	SERVERCENTRALUS	false
172.67.141.124	unknown	United States	13335	CLOUDFLARENETUS	false
185.199.109.133	unknown	Netherlands	54113	FASTLYUS	false
185.156.73.23	unknown	Russian Federation	48817	RELDAS-NETRU	false
23.55.153.106	unknown	United States	20940	AKAMAI-ASN1EU	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
172.217.21.36	unknown	United States	15169	GOOGLEUS	false
172.217.17.42	unknown	United States	15169	GOOGLEUS	false
172.67.216.236	unknown	United States	13335	CLOUDFLARENETUS	false
3.218.7.103	unknown	United States	14618	AMAZON-AESUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
104.21.66.86	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.181.142	unknown	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
104.21.23.76	unknown	United States	13335	CLOUDFLARENETUS	false
20.233.83.145	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
5.101.3.217	unknown	Russian Federation	34665	PINDC-ASRU	false
173.194.220.84	unknown	United States	15169	GOOGLEUS	false
104.21.11.101	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581394
Start date and time:	2024-12-27 14:54:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	71
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	w22319us3M.exe renamed because original name is a hash value
Original Sample Name:	58dd20c846afcde669280ef51d04e62f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@122/1042@0/27
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Execution Graph export aborted for target GCIPC88T1V3Y5G2CGGZMZF.exe, PID 3812 because there are no executed function
Execution Graph export aborted for target w22319us3M.exe, PID 4980 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: w22319us3M.exe

Simulations

Behavior and APIs

Time	Type	Description
08:54:57	API Interceptor	52x Sleep call for process: w22319us3M.exe modified
08:55:58	API Interceptor	83123x Sleep call for process: GCIPC88T1V3Y5G2CGGZMZF.exe modified
08:56:03	API Interceptor	923142x Sleep call for process: skotes.exe modified
08:56:22	API Interceptor	24x Sleep call for process: powershell.exe modified
08:56:28	API Interceptor	399829x Sleep call for process: OiMp3TH.exe modified
08:56:31	API Interceptor	8x Sleep call for process: 86e84e5515.exe modified
08:56:36	API Interceptor	1x Sleep call for process: kqafnifqcv_638708865856767870.exe modified
08:57:08	API Interceptor	14x Sleep call for process: 3237c2ad29.exe modified
08:57:32	API Interceptor	320331x Sleep call for process: 4ee1ae93b7.exe modified
08:58:49	API Interceptor	2x Sleep call for process: 59c9193d17.exe modified
08:58:52	API Interceptor	6x Sleep call for process: b310885a4c.exe modified
14:55:43	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
14:58:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run b310885a4c.exe C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe
14:59:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run b310885a4c.exe C:\Users\user\AppData\Local\Temp\1024340001\b310885a4c.exe
14:59:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 525f5f9628.exe C:\Users\user\AppData\Local\Temp\1024341001\525f5f9628.exe
14:59:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 540b6da6f6.exe C:\Users\user\AppData\Local\Temp\1024342001\540b6da6f6.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	LIWYEYWSOj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	Idau8QuYa3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	uLkHEqZ3u3.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
185.199.109.133	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gabe.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
50.31.176.165	file.exe	Get hash	malicious	LummaC Stealer	Browse
	https://clickserve.dartsearch.net/link/click?lid=43700078497888010&ds_s_kwgid=58700008599075100&ds_a_cid=1402884687&ds_a_caid=20756460697&ds_a_agid=154005532286&ds_a_fiid=&ds_a_lid=kwd-21944266&ds_a_extid=&&ds_e_adid=680299733267&ds_e_matchtype=search&ds_e_device=c&ds_e_network=g&&ds_url_v=2&ds_dest_url=%2F%2F%2Fbit.ly%2F46ePuds#UjXUjrmYeT	Get hash	malicious	Unknown	Browse
	https://tahoevillagenv.com/dsb/ktx85kimc95vn	Get hash	malicious	Phisher	Browse
172.67.141.124	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
172.67.141.124	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	gshv2.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
WHOLESALECONNECTIONSNL	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	185.215.113.206
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	LIWYEYWSOj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	CAo57G5Cio.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	ZvHSpovhDw.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.16
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
SERVERCENTRALUS	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	205.234.141.183
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	216.246.5.240
	file.exe	Get hash	malicious	LummaC Stealer	Browse	50.31.176.165
	https://lcatterton.adobesign.gr.com/ryani8QmoTxrrisAT5lc4kattertoTxni8Qc4koTxm	Get hash	malicious	HTMLPhisher	Browse	216.246.46.135
	https://its.publimpres.com/northampton.edu/&adfs/ls/client-request-id=7c724&wa=wsignin10.html	Get hash	malicious	Unknown	Browse	216.246.46.21
	https://lumanity-chemisphere.qt9qms.app/	Get hash	malicious	HTMLPhisher	Browse	50.31.141.222
	zam.exe	Get hash	malicious	Snake Keylogger	Browse	50.31.176.103
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	50.31.176.103
	pedido.pif.exe	Get hash	malicious	Snake Keylogger	Browse	50.31.176.103
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	216.246.47.153

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	glpEv3POe7.exe	Get hash	malicious	Stealc, Vidar	Browse
	gYjK72gL17.exe	Get hash	malicious	Stealc, Vidar	Browse
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse

Process:	C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	4.43219646681395
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg77aI93GbRrWpW8VYMQ0Ym8M4JgzBz1FtEw+q8vzBz4wbUztUpd:uIjf9I7gFa7VSJgzJRKzJ4EUztUpd
MD5:	C3D34B3A225B4EE960EB6E0A217481BB
SHA1:	AF1A6B93658794DDF24E79484E18076D14CB62C5
SHA-256:	DDC9CD53EA9AA6ECD7ACE2610DFBE0A0F4A0DE1153F434DF8C6CDD92DDCB7CAE
SHA-512:	F797586561274DF81002B62599423516BF1743E5D1A209B95699A21E55553F45DA168D47DE6EDC49733B8EB77F2DFA5BE047944A82D327AC9B440A751FE404FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="649741" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090728852598106
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMKwuF9hDO6vP6O+3tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEQ66tbz8hu3VlXr4CRo1
MD5:	A68F023C247D2BCD34538F67DD2ACCE0
SHA1:	00ED9C0596CF1A60221DEC2CE2011C0168AC55E0
SHA-256:	19F68F4A047E9D45C5C13DD7D832BF533963729756710295CF86483CBDD358C3
SHA-512:	8C8A39EA9A0AA004AA0C08D0942F0A8699DCAB8E861B9ADC34F1376F7B6A8A549DB1DE98821DBE9794C95290D91CB3987C9233ABEEA72A372E2D7555B164FD2E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	94720
Entropy (8bit):	7.5870805902344856
Encrypted:	false
SSDEEP:	1536:bXbvRCqBSR3iW5hhtTqHmEpHP8Q1a37KNeIdJj6vbXee4BTBGAQ3wz14XPoBrR:bXbvRCqBShiWPn2GwkR7QxdJjybXe9px
MD5:	AB408F4EB577EDA6D98941EDE1B44863
SHA1:	95035CC5625641877753B56595972972732A7163
SHA-256:	A3489B28D0560FDB0BB7AB3191EE01E051F96BB4EBB0D979CEA7976EBAB5139F
SHA-512:	5DF00B30171250889468C19C6DFF821FA4E776835D655B782F6411197D516CEBED593F2FF03E3739CDE3355BF3758EA26C683F7092A53975AD6686F65A563179
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9=6..........."...0..T...........r... ........@.. ....................................`..................................q..O...................................8q..8............................................ ............... ..H............text... R... ...T.................. ..`.rsrc................V..............@..@.reloc...............p..............@..B.................q......H.......\|9...7...........................................................0...........(...........,..(.....8....r...p(.....rG..p(..... ....(......(..... . ,..r...p(.....8....r...p(.....(.....r#..p(......(.....re..p..'...(....(.....r...p(........(.....r...p.(......(....&r...p.(....(.....r...p(......(......rW..p...'...(....(.....r...p(......(......r...p...'...(....(.....r...p(......(......rG..p(........~....%-.&~......(...s....%.....(...+o.....!+..!o.....".ru..p."(....."(.....'.

Process:	C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379295070393417
Encrypted:	false
SSDEEP:	48:5WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//x0Uyus:5LHxvCsIfA2KRHmOugw1s
MD5:	7B81ACDA8912A29F6C9D32963AC90B25
SHA1:	3F49228EA2EF879373330AD5F59C1261824E395B
SHA-256:	A8666C4709F3E78D085E6FF4C33F5118F9A8F4DCCD5EAB0918CE185C240988BE
SHA-512:	271447EF17C68840D861ED9157ADFE7BE59383715CB1EE4D45DB0552B9C4B14E14D9BAF334B6236CF7DDE60507BB3FEB706F879775CC68C1A0B738C20CCDD270
Malicious:	false
Reputation:	unknown
Preview:	@...e.................................\|..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Users\user\Desktop\w22319us3M.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3209216
Entropy (8bit):	6.657672536877299
Encrypted:	false
SSDEEP:	49152:ZKoDfBLgO/OiliAQeZRHaCydFU2gyoHcx07/3PN/Z9:VdEO/biAQEFy3boj7fPN/Z9
MD5:	023D3E22C2DF966B7EC6B1950A2FBC95
SHA1:	04F5B71CAF24E1E36C166399E4AEDEBBED8D5626
SHA-256:	EF8EBDB12E918ED1196ABACABC5CEDA321D39DDBEC73D3A46835BFB722CF35CA
SHA-512:	D7FE5AAE64A369DF5024D19C4CC2C8F22971833EF195E81E797A03703495A0D016523689F32209942F5E6F36E639706A5165068E57F67649820E99A7626F1EF6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@..........................01.......1...@.................................W...k.............................0...............................0..................................................... . ............................@....rsrc...............................@....idata ............................@...ysynnfor.@......:.................@...lfcxdbpw......0.......0.............@....taggant.0....1.."....0.............@...........................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 12:55:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9753399804642062
Encrypted:	false
SSDEEP:	48:8vDdJTVLpJHnidAKZdA19ehwiZUklqehNy+3:8vfBlDqy
MD5:	D3FA0179302F921607819C4D935AD5B2
SHA1:	07CB0D0ED0CC1189E9630F0DB36B9AA1D9C82E09
SHA-256:	B71F7B631742EC0ED58E23A22BBAD10A09E4319F9FBA32CEAACF9449852E5FBB
SHA-512:	B95090034DC056EDE0E97AD3D3B9F0944F972FAB476171BEAE07333C9A5930EF5B5E76A5101D906FD5E78DC169B0FFD5163EC180FED2085F3EB76161DDBC5FD4
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,........gX..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.n....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.n....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.n....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.n..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........~2.h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x891000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	0184cf4ac06608d1eeea8e6cb89e6273	False	0.9995659722222222	data	7.984271560443622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1ac	0x200	c4249243ceaeb236e3ce8ce2ab2c9a69	False	0.5390625	data	5.249019796122045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x55000	0x29e000	0x200	71c6854425c57eda1f2222208ff8801a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
isujduiu	0x2f3000	0x19d000	0x19c200	1b9dec96c2dc77d41bd9c835ef9eb042	False	0.9941501033136184	data	7.952916975061763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ynrufuji	0x490000	0x1000	0x600	626d25442f40a9f72ae765ee87f4c9e9	False	0.5690104166666666	data	5.09314834619486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x491000	0x3000	0x2200	a176b4bd88a73c9448c9f17605bcb58b	False	0.06353400735294118	DOS executable (COM)	0.7453353087129329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Target ID:	0
Start time:	08:54:53
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\w22319us3M.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\w22319us3M.exe"
Imagebase:	0x200000
File size:	1'860'608 bytes
MD5 hash:	58DD20C846AFCDE669280EF51D04E62F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	08:55:27
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GCIPC88T1V3Y5G2CGGZMZF.exe"
Imagebase:	0xbb0000
File size:	5'104'640 bytes
MD5 hash:	E8986E2F122CDFCFED4853174606574F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.3032740803.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.3027431904.0000000000BB1000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3027431904.0000000000C7C000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	08:55:33
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\C2XE6J33GF4A861OXJC15F1M3NC83Q.exe"
Imagebase:	0x7a0000
File size:	3'209'216 bytes
MD5 hash:	023D3E22C2DF966B7EC6B1950A2FBC95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000002.2548648752.00000000007A1000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 57%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	08:55:38
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	08:55:39
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2224,i,6748778520308675678,4762310437119586897,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	08:55:42
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xad0000
File size:	3'209'216 bytes
MD5 hash:	023D3E22C2DF966B7EC6B1950A2FBC95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.2592560272.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	08:55:43
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xad0000
File size:	3'209'216 bytes
MD5 hash:	023D3E22C2DF966B7EC6B1950A2FBC95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000002.2621297401.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	08:55:50
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	08:55:51
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2400,i,10826734570849083507,2192603502781811824,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report w22319us3M.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CBAKFCBF

C:\ProgramData\CFIIIJJKJKFHIDGDBAKJ

C:\ProgramData\DBKFHJEBAAEBGDGDBFBGIEBAAA

C:\ProgramData\ECAEGHIJ

C:\ProgramData\HIIIECAAKECFHIECBKJD

C:\ProgramData\IDAAFBGDBKJJJKFIIIJJJECAAE

C:\ProgramData\KFBFCAFCBKFIEBFHIDBA

Windows Analysis Report
w22319us3M.exe

Target ID:	15
Start time:	08:55:52
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1968,i,8730398777066644679,12218846822964699434,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	08:56:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xad0000
File size:	3'209'216 bytes
MD5 hash:	023D3E22C2DF966B7EC6B1950A2FBC95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000010.00000002.4670882680.0000000000AD1000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	17
Start time:	08:56:21
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024267001\OiMp3TH.exe"
Imagebase:	0x470000
File size:	94'720 bytes
MD5 hash:	AB408F4EB577EDA6D98941EDE1B44863
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	21
Start time:	08:56:23
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
Imagebase:	0xd90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	08:56:27
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024334001\86e84e5515.exe"
Imagebase:	0xbc0000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 68%, ReversingLabs
Has exited:	true

Target ID:	29
Start time:	08:56:33
Start date:	27/12/2024
Path:	C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe
Wow64 process (32bit):	true
Commandline:	"C:\cgjxdgffc\kqafnifqcv_638708865856767870.exe"
Imagebase:	0x200000
File size:	1'282'560 bytes
MD5 hash:	2A64267B616C528EE9618165671CCA9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	30
Start time:	08:56:37
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024335001\59c9193d17.exe"
Imagebase:	0x890000
File size:	2'668'544 bytes
MD5 hash:	87330F1877C33A5A6203C49075223B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 48%, ReversingLabs
Has exited:	true

Target ID:	31
Start time:	08:56:50
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024336001\ecc27e013f.exe"
Imagebase:	0x3c0000
File size:	4'487'168 bytes
MD5 hash:	01FBECB34B5AC1C9C3336C64817F1637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 39%, ReversingLabs
Has exited:	true

Target ID:	32
Start time:	08:56:59
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024337001\4ee1ae93b7.exe"
Imagebase:	0x400000
File size:	1'895'424 bytes
MD5 hash:	4B28BC82A5E69BA553B5834D151D25A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000020.00000002.4715017228.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.4675874053.0000000000EA8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Target ID:	34
Start time:	08:57:14
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1024338001\3237c2ad29.exe"
Imagebase:	0x130000
File size:	1'995'776 bytes
MD5 hash:	3B6A8C673CDBE5C6944E92E7DE9F75CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true