Edit tour

Windows Analysis Report
random(4).exe

Overview

General Information

Sample name:	random(4).exe
Analysis ID:	1583232
MD5:	c77592f28d3267b7c5e0529b6741548a
SHA1:	e0a741dbbdd703b9254e5613b36dc727262c1efc
SHA256:	739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62
Tags:	exelev-tolstoi-comuser-JAMESWT_MHT
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files to the document folder of the user

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Reads the Security eventlog

Reads the System eventlog

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random(4).exe (PID: 6756 cmdline: "C:\Users\user\Desktop\random(4).exe" MD5: C77592F28D3267B7C5E0529B6741548A)

NU4SX64NXMV3YXYV8G3PIA0S0.exe (PID: 4144 cmdline: "C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe" MD5: 14FC1658DE54A19670851A44AFC48ABC)

chrome.exe (PID: 3760 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2192,i,12920997312320207026,11927117372627731275,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 4364 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJDGIJJKE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FIJDGIJJKE.exe (PID: 7540 cmdline: "C:\Users\user\Documents\FIJDGIJJKE.exe" MD5: F70FD98886425270B5017B04C74B31B8)

7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe (PID: 4908 cmdline: "C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe" MD5: F70FD98886425270B5017B04C74B31B8)

skotes.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: F70FD98886425270B5017B04C74B31B8)

9ce3a8a3dc.exe (PID: 7984 cmdline: "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

9ce3a8a3dc.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

943fedf78d.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe" MD5: 87330F1877C33A5A6203C49075223B16)

55c1ca23f1.exe (PID: 744 cmdline: "C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe" MD5: 19861D67B2811D6EB3BE1951B28703AE)

AutoIt3_x64.exe (PID: 2448 cmdline: "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz MD5: 8FA52F316C393496F272357191DB6DEB)

982cf429c9.exe (PID: 5816 cmdline: "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe" MD5: A098B3631CF208CAC539D0C4DA0DE1EB)

982cf429c9.exe (PID: 5212 cmdline: "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe" MD5: A098B3631CF208CAC539D0C4DA0DE1EB)

cmd.exe (PID: 7992 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

d76dd796e0.exe (PID: 5632 cmdline: "C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe" MD5: DB206F26E2DA5BDEB251FDF9DEB6EFBE)

e13ae12563.exe (PID: 8024 cmdline: "C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe" MD5: C2968F40E6C44036E1D3E18BCA61C67D)

75b25e676e.exe (PID: 2936 cmdline: "C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe" MD5: 19861D67B2811D6EB3BE1951B28703AE)

AutoIt3_x64.exe (PID: 5444 cmdline: "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz MD5: 8FA52F316C393496F272357191DB6DEB)

13f4808de9.exe (PID: 4484 cmdline: "C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe" MD5: F200A3445A8034D201EEB79BB29E1D73)

6319f0cc28.exe (PID: 6652 cmdline: "C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe" MD5: C77592F28D3267B7C5E0529B6741548A)

334592f815.exe (PID: 3152 cmdline: "C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe" MD5: 14FC1658DE54A19670851A44AFC48ABC)

a48f6ed5ed.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe" MD5: CA250DF7319AC4E1A197E00FDA0C4323)

taskkill.exe (PID: 1852 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8132 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1376 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6428 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8a0ebcc2e0.exe (PID: 8056 cmdline: "C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe" MD5: B0A80C5DBC0761ED26C786D6F2E56E1F)

ad8a3a5306.exe (PID: 4468 cmdline: "C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe" MD5: 9BE5AC720DCF1838FD5A2D7352672F66)

conhost.exe (PID: 2540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3512 cmdline: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1968 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

skotes.exe (PID: 8188 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: F70FD98886425270B5017B04C74B31B8)

skotes.exe (PID: 7256 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: F70FD98886425270B5017B04C74B31B8)

skotes.exe (PID: 7552 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: F70FD98886425270B5017B04C74B31B8)

6319f0cc28.exe (PID: 5804 cmdline: "C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe" MD5: C77592F28D3267B7C5E0529B6741548A)

334592f815.exe (PID: 2104 cmdline: "C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe" MD5: 14FC1658DE54A19670851A44AFC48ABC)

a48f6ed5ed.exe (PID: 3648 cmdline: "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe" MD5: CA250DF7319AC4E1A197E00FDA0C4323)

taskkill.exe (PID: 6720 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8a0ebcc2e0.exe (PID: 6332 cmdline: "C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe" MD5: B0A80C5DBC0761ED26C786D6F2E56E1F)

skotes.exe (PID: 5260 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: F70FD98886425270B5017B04C74B31B8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": ["slipperyloo.lat", "pancakedipyps.click", "tentabatte.lat", "manyrestro.lat", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat", "wordyfindy.lat", "bashfulacid.lat"], "Build id": "FATE99--test"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000023.00000003.4119625833.000000000165D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.3711440745.00000000003D1000.00000040.00000001.01000000.0000002C.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001F.00000003.3968382392.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000027.00000002.4097470810.00000000003D1000.00000040.00000001.01000000.0000002C.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000020.00000002.3667795783.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001F.00000003.3869502337.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000003.4156576126.000000000165D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000021.00000002.3714687550.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001F.00000003.3896221310.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2313455015.0000000000721000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000004.00000002.2313455015.00000000007EC000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2987197716.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001F.00000003.4074538250.00000000013D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2366087745.0000000000E31000.00000040.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000002.2078214906.0000000000231000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: random(4).exe PID: 6756	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: random(4).exe PID: 6756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random(4).exe PID: 6756	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 9ce3a8a3dc.exe PID: 8044	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 9ce3a8a3dc.exe PID: 8044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9ce3a8a3dc.exe PID: 8044	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.skotes.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
14.2.skotes.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.230000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
17.2.FIJDGIJJKE.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.2.skotes.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0xe4cf9:$str05: prefs.js 0xe5cf9:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
33.2.334592f815.exe.3d0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
33.2.334592f815.exe.3d0000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
39.2.334592f815.exe.3d0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
39.2.334592f815.exe.3d0000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6319f0cc28.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe, ParentProcessId: 4468, ParentProcessName: ad8a3a5306.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm', ProcessId: 3512, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe", ParentImage: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe, ParentProcessId: 4144, ParentProcessName: NU4SX64NXMV3YXYV8G3PIA0S0.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 3760, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6319f0cc28.exe

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, ProcessId: 2448, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivuiqylx.5hk.ps1

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe, ParentProcessId: 4468, ParentProcessName: ad8a3a5306.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm', ProcessId: 3512, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random(4).exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 9ce3a8a3dc.exe.7984.10.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["slipperyloo.lat", "pancakedipyps.click", "tentabatte.lat", "manyrestro.lat", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat", "wordyfindy.lat", "bashfulacid.lat"], "Build id": "FATE99--test"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[4].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: random(4).exe	Virustotal: Detection: 58%			Perma Link
Source: random(4).exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: random(4).exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: 185.215.113.43
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: S-%lu-
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: abc3bc1985
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: skotes.exe
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Startup
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: rundll32
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Programs
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: %USERPROFILE%
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: cred.dll
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: clip.dll
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: http://
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: https://
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: /quiet
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: /Plugins/
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: &unit=
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: shell32.dll
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: kernel32.dll
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ProgramData\
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: AVAST Software
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Kaspersky Lab
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Panda Security
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Doctor Web
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: 360TotalSecurity
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Bitdefender
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Norton
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Sophos
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Comodo
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: WinDefender
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: 0123456789
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ------
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ?scr=1
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ComputerName
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: -unicode-
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: VideoID
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: ProductName
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: CurrentBuild
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: rundll32.exe
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: && Exit"
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: " && ren
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: Powershell.exe
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: random
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 07
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 01
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 20
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 25
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetProcAddress
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: LoadLibraryA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: lstrcatA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: OpenEventA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateEventA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CloseHandle
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Sleep
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: VirtualFree
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetSystemInfo
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: VirtualAlloc
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HeapAlloc
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetComputerNameA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: lstrcpyA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetProcessHeap
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetCurrentProcess
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: lstrlenA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ExitProcess
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetSystemTime
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: advapi32.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: gdi32.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: user32.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: crypt32.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetUserNameA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateDCA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetDeviceCaps
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ReleaseDC
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sscanf
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: VMwareVMware
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HAL9TH
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: JohnDoe
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DISPLAY
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: http://185.215.113.206
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: stok
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetFileAttributesA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HeapFree
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetFileSize
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GlobalSize
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: IsWow64Process
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Process32Next
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetLocalTime
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: FreeLibrary
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetVolumeInformationA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Process32First
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetLocaleInfoA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetModuleFileNameA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DeleteFileA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: FindNextFileA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: LocalFree
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: FindClose
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: LocalAlloc
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetFileSizeEx
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ReadFile
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SetFilePointer
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: WriteFile
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateFileA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: FindFirstFileA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CopyFileA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: VirtualProtect
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetLastError
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: lstrcpynA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: MultiByteToWideChar
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GlobalFree
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: WideCharToMultiByte
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GlobalAlloc
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: OpenProcess
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: TerminateProcess
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetCurrentProcessId
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: gdiplus.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ole32.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: bcrypt.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: wininet.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: shlwapi.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: shell32.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: rstrtmgr.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SelectObject
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BitBlt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DeleteObject
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateCompatibleDC
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdiplusStartup
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdiplusShutdown
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdipDisposeImage
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GdipFree
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CoUninitialize
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CoInitialize
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CoCreateInstance
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BCryptDecrypt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BCryptSetProperty
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BCryptDestroyKey
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetWindowRect
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetDesktopWindow
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetDC
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CloseWindow
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: wsprintfA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CharToOemW
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: wsprintfW
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RegQueryValueExA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RegEnumKeyExA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RegOpenKeyExA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RegCloseKey
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RegEnumValueA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CryptUnprotectData
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SHGetFolderPathA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ShellExecuteExA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: InternetOpenUrlA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: InternetConnectA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: InternetCloseHandle
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HttpSendRequestA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HttpOpenRequestA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: InternetReadFile
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: InternetCrackUrlA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: StrCmpCA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: StrStrA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: StrCmpCW
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: PathMatchSpecA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RmStartSession
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RmRegisterResources
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RmGetList
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: RmEndSession
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_open
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_step
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_column_text
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_finalize
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_close
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3_column_blob
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: encrypted_key
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: PATH
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: NSS_Init
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: NSS_Shutdown
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: PK11_FreeSlot
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: PK11_Authenticate
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: C:\ProgramData\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: browser:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: profile:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: url:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: login:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: password:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Opera
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: OperaGX
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Network
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: cookies
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: .txt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: TRUE
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: FALSE
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: autofill
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: history
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: cc
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: name:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: month:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: year:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: card:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Cookies
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Login Data
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Web Data
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: History
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: logins.json
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: formSubmitURL
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: usernameField
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: encryptedUsername
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: encryptedPassword
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: guid
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: cookies.sqlite
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: formhistory.sqlite
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: places.sqlite
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: plugins
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Local Extension Settings
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Sync Extension Settings
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: IndexedDB
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Opera Stable
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Opera GX Stable
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: CURRENT
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: chrome-extension_
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Local State
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: profiles.ini
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: chrome
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: opera
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: firefox
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: wallets
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ProductName
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: x32
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: x64
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DisplayName
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DisplayVersion
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Network Info:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - IP: IP?
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Country: ISO?
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: System Summary:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - HWID:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - OS:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Architecture:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - UserName:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Computer Name:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Local Time:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - UTC:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Language:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Keyboards:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Laptop:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Running Path:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - CPU:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Threads:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Cores:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - RAM:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - Display Resolution:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: - GPU:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: User Agents:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Installed Apps:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: All Users:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Current User:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Process List:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: system_info.txt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: freebl3.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: mozglue.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: msvcp140.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: nss3.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: softokn3.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: vcruntime140.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Temp\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: .exe
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: runas
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: open
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: /c start
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %DESKTOP%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %APPDATA%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %USERPROFILE%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %DOCUMENTS%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: %RECENT%
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: *.lnk
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: files
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \discord\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Telegram Desktop\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: key_datas
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: map*
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Telegram
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Tox
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: *.tox
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: *.ini
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Password
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 00000001
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 00000002
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 00000003
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: 00000004
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Pidgin
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \.purple\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: accounts.xml
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: token:
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Software\Valve\Steam
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: SteamPath
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \config\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ssfn*
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: config.vdf
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DialogConfig.vdf
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: libraryfolders.vdf
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: loginusers.vdf
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Steam\
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: sqlite3.dll
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: done
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: soft
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: https
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: POST
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: HTTP/1.1
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: hwid
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: build
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: token
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: file_name
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: file
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: message
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF26C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,

4_2_6BF26C80

Source: random(4).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: mozglue.pdbP source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347880042.000000006BF8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347880042.000000006BF8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: 943fedf78d.exe, 0000000D.00000000.2247461445.0000000000C8C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: database.pdbmain.pdbsetup.tar.gzAutoIt3_x64.exemsvcp140.dllucrtbase.dll source: 55c1ca23f1.exe, 00000012.00000003.2311940788.0000000002403000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe

Code function: 10_2_00820DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

10_2_00820DA9

Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 16MB later: 40MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: pancakedipyps.click
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	IPs: 185.215.113.43

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: a098b3631cf208cac539d0c4da0de1eb.exe.9.dr

Source: Joe Sandbox View

IP Address: 104.21.48.1 104.21.48.1

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

Code function: 5_2_0023E0C0 recv,recv,recv,recv,

5_2_0023E0C0

Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/#
Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/F
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968225491.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968225491.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeu
Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/mine/random.exe5117-2476756634-1002
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll=
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllK
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll&
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B529000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpI
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpY
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpb
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfi
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206ones
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206z
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791619976.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1802092337.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801922934.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 55c1ca23f1.exe, 00000012.00000003.2311940788.0000000002403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sourceforge.net/projects/s-zipsfxbuilder/)
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347880042.000000006BF8D000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347623795.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2267594754.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2267594754.000000000162E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mo
Source: random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: random(4).exe, 00000000.00000003.1968762153.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1774346163.0000000005391000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763047280.0000000005396000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763089582.000000000539A000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1750659620.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791619976.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1787935893.0000000005391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/#
Source: random(4).exe, 00000000.00000003.1968516826.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845454341.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/K
Source: random(4).exe, 00000000.00000003.1801861765.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/S
Source: random(4).exe, 00000000.00000003.1763145473.000000000539B000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763212305.000000000539D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/a
Source: random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845653640.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801783233.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845372507.000000000539E000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1787935893.000000000539E000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968353025.000000000539D000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845454341.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801861765.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api1
Source: random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845169784.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845653640.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api97
Source: random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/b
Source: random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/c
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845653640.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791761313.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791557022.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/api
Source: 943fedf78d.exe, 0000000D.00000003.4125929580.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4131889031.0000000001206000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/
Source: 943fedf78d.exe, 0000000D.00000003.4125929580.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4131889031.0000000001206000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4125929580.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/api
Source: 943fedf78d.exe, 0000000D.00000003.4125929580.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4131889031.0000000001206000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/apid
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: 9ce3a8a3dc.exe, 9ce3a8a3dc.exe, 0000000C.00000003.2335294704.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2376579538.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2327552419.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400323329.0000000001593000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2452826288.0000000001601000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400489317.00000000015A6000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400121522.0000000001600000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2441193868.0000000001594000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2444078928.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320200715.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2376311717.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: 9ce3a8a3dc.exe, 0000000C.00000002.2452826288.0000000001601000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400121522.0000000001600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api&
Source: 9ce3a8a3dc.exe, 0000000C.00000002.2452826288.0000000001601000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400121522.0000000001600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api9
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2327552419.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiO
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiuo
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/bm
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/bu
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/buiXoGK9
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/fe
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/jhBK
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/laiKoJ
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/pi
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/pi#oLKU
Source: random(4).exe, 00000000.00000003.1751972120.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221476307.0000000003C75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2228560257.000000000B762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: random(4).exe, 00000000.00000003.1763262995.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1762994374.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763106978.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751972120.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1752021463.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2131344489.00000000053ED000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235257275.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2234911700.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221476307.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235067086.0000000003C27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: random(4).exe, 00000000.00000003.1752021463.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: random(4).exe, 00000000.00000003.1763262995.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1762994374.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763106978.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751972120.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1752021463.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2131344489.00000000053ED000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235257275.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2234911700.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221476307.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235067086.0000000003C27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: random(4).exe, 00000000.00000003.1752021463.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: random(4).exe, 00000000.00000003.1802124250.000000000539B000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801768237.0000000005399000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1787935893.0000000005397000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1788085717.0000000005398000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791965316.0000000005399000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2267594754.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007A4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007A4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007A4000.00000040.00000001.01000000.00000006.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.0000000000887000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.0000000000887000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007A4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: random(4).exe, 00000000.00000003.1776302500.00000000054B9000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2228560257.000000000B762000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007A4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: random(4).exe, 00000000.00000003.1776302500.00000000054B9000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2228560257.000000000B762000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007A4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell

Reads the System eventlog

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 33.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 39.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io

PE file contains section with special chars

Source: random(4).exe	Static PE information: section name:
Source: random(4).exe	Static PE information: section name: .idata
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name:
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name: .idata
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name:
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name: .idata
Source: random[2].exe.4.dr	Static PE information: section name:
Source: random[2].exe.4.dr	Static PE information: section name: .idata
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name:
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.5.dr	Static PE information: section name:
Source: skotes.exe.5.dr	Static PE information: section name: .idata
Source: random[4].exe.9.dr	Static PE information: section name:
Source: random[4].exe.9.dr	Static PE information: section name: .idata
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name:
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name: .idata
Source: random[2].exe.9.dr	Static PE information: section name:
Source: random[2].exe.9.dr	Static PE information: section name: .idata
Source: random[2].exe.9.dr	Static PE information: section name:
Source: d76dd796e0.exe.9.dr	Static PE information: section name:
Source: d76dd796e0.exe.9.dr	Static PE information: section name: .idata
Source: d76dd796e0.exe.9.dr	Static PE information: section name:
Source: random[2].exe0.9.dr	Static PE information: section name:
Source: random[2].exe0.9.dr	Static PE information: section name: .idata
Source: random[2].exe0.9.dr	Static PE information: section name:
Source: e13ae12563.exe.9.dr	Static PE information: section name:
Source: e13ae12563.exe.9.dr	Static PE information: section name: .idata
Source: e13ae12563.exe.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name: .idata
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: 13f4808de9.exe.9.dr	Static PE information: section name:
Source: 13f4808de9.exe.9.dr	Static PE information: section name: .idata
Source: 13f4808de9.exe.9.dr	Static PE information: section name:
Source: random[3].exe1.9.dr	Static PE information: section name:
Source: random[3].exe1.9.dr	Static PE information: section name: .idata
Source: 6319f0cc28.exe.9.dr	Static PE information: section name:
Source: 6319f0cc28.exe.9.dr	Static PE information: section name: .idata
Source: random[3].exe2.9.dr	Static PE information: section name:
Source: random[3].exe2.9.dr	Static PE information: section name: .idata
Source: 334592f815.exe.9.dr	Static PE information: section name:
Source: 334592f815.exe.9.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6BF1F280
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF7B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6BF7B910
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF7B8C0 rand_s,NtQueryVirtualMemory,	4_2_6BF7B8C0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF7B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6BF7B700
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF3ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	4_2_6BF3ED10

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF135A0	4_2_6BF135A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF853C8	4_2_6BF853C8
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1F380	4_2_6BF1F380
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF2C370	4_2_6BF2C370
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF15340	4_2_6BF15340
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF5D320	4_2_6BF5D320
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF31AF0	4_2_6BF31AF0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF5E2F0	4_2_6BF5E2F0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF58AC0	4_2_6BF58AC0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF2CAB0	4_2_6BF2CAB0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF82AB0	4_2_6BF82AB0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF122A0	4_2_6BF122A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF44AA0	4_2_6BF44AA0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF8BA90	4_2_6BF8BA90
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF59A60	4_2_6BF59A60
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF4D9B0	4_2_6BF4D9B0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1C9A0	4_2_6BF1C9A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF55190	4_2_6BF55190
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF72990	4_2_6BF72990
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF6B970	4_2_6BF6B970
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF8B170	4_2_6BF8B170
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF2D960	4_2_6BF2D960
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF3A940	4_2_6BF3A940
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF3C0E0	4_2_6BF3C0E0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF558E0	4_2_6BF558E0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF850C7	4_2_6BF850C7
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF460A0	4_2_6BF460A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF5F070	4_2_6BF5F070
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF38850	4_2_6BF38850
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF3D850	4_2_6BF3D850
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF5B820	4_2_6BF5B820
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF64820	4_2_6BF64820
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF27810	4_2_6BF27810
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF46FF0	4_2_6BF46FF0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1DFE0	4_2_6BF1DFE0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF677A0	4_2_6BF677A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF57710	4_2_6BF57710
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF29F00	4_2_6BF29F00
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1BEF0	4_2_6BF1BEF0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF2FEF0	4_2_6BF2FEF0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF876E3	4_2_6BF876E3
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF74EA0	4_2_6BF74EA0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF35E90	4_2_6BF35E90
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF7E680	4_2_6BF7E680
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1C670	4_2_6BF1C670
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF86E63	4_2_6BF86E63
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF39E50	4_2_6BF39E50
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF53E50	4_2_6BF53E50
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF34640	4_2_6BF34640
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF62E4E	4_2_6BF62E4E
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF79E30	4_2_6BF79E30
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF57E10	4_2_6BF57E10
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF65600	4_2_6BF65600
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF785F0	4_2_6BF785F0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF50DD0	4_2_6BF50DD0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF3ED10	4_2_6BF3ED10
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF40512	4_2_6BF40512
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF2FD00	4_2_6BF2FD00
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF56CF0	4_2_6BF56CF0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF1D4E0	4_2_6BF1D4E0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF3D4D0	4_2_6BF3D4D0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF264C0	4_2_6BF264C0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF734A0	4_2_6BF734A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF7C4A0	4_2_6BF7C4A0
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF26C80	4_2_6BF26C80
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF8545C	4_2_6BF8545C
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF25440	4_2_6BF25440
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF8542B	4_2_6BF8542B
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF55C10	4_2_6BF55C10
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF62C10	4_2_6BF62C10
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF8AC00	4_2_6BF8AC00
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_00235C83	5_2_00235C83
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_0023735A	5_2_0023735A
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_00278860	5_2_00278860
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_00348101	5_2_00348101
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_00234DE0	5_2_00234DE0
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_00234B30	5_2_00234B30
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_0080E094	10_2_0080E094
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00801000	10_2_00801000
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00826102	10_2_00826102
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00812AA1	10_2_00812AA1
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_008243FF	10_2_008243FF
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00818D90	10_2_00818D90
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00813EA0	10_2_00813EA0
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 12_3_0158F7DC	12_3_0158F7DC
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 12_3_0158F7DC	12_3_0158F7DC
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 12_3_0158F7DC	12_3_0158F7DC
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 12_3_0158F7DC	12_3_0158F7DC

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: String function: 002480C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: String function: 6BF594D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: String function: 6BF4CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: String function: 0080E5A0 appears 49 times

Source: _pytransform.dll.22.dr

Static PE information: Number of sections : 11 > 10

Source: python3.dll.22.dr

Static PE information: No import functions for PE file found

Source: random(4).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 33.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 39.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b

Source: random[1].exe.9.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: 9ce3a8a3dc.exe.9.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: random[2].exe.9.dr	Static PE information: Section: ytfdrfzx ZLIB complexity 0.9902170549438368
Source: d76dd796e0.exe.9.dr	Static PE information: Section: ytfdrfzx ZLIB complexity 0.9902170549438368
Source: random[2].exe0.9.dr	Static PE information: Section: jzrbpplf ZLIB complexity 0.9945949556599774
Source: e13ae12563.exe.9.dr	Static PE information: Section: jzrbpplf ZLIB complexity 0.9945949556599774
Source: random[3].exe0.9.dr	Static PE information: Section: whflkpvn ZLIB complexity 0.994563728436086
Source: 13f4808de9.exe.9.dr	Static PE information: Section: whflkpvn ZLIB complexity 0.994563728436086

Source: FIJDGIJJKE.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 334592f815.exe.9.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[3].exe2.9.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: random[4].exe0.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: random[4].exe0.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ad8a3a5306.exe.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ad8a3a5306.exe.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@99/227@0/22

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF77030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6BF77030

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UQ6NO1AT.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03

Source: C:\Users\user\Desktop\random(4).exe

File created: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Anti Malware Scan Interface: [IO.COMpresSiOn.CoMprESSioNMoDe]::DeCOMpreSs)),[TeXt.EncoDIng])).rEaDTOENd()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = ''# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = ''# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galle
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Anti Malware Scan Interface: [IO.COMpresSiOn.CoMprESSioNMoDe]::DeCOMpreSs)),[TeXt.EncoDIng])).rEaDTOENd()@{GUID = "D22E34C9-0A99-47D7-98F3-C0570257DEB6"Author = "Microsoft Corporation"CompanyName = "Microsoft Corporation"Copyright = " Microsoft Corporation. All rights reserved."ModuleVersion = "2.1.639.0"PowerShellVersion = "5.1"CLRVersion = "2.0"ModuleToProcess = "Microsoft.Uev.Commands.dll"Description = "User Experience Virtualization management commands."TypesToProcess = "UEV.Types.ps1xml"# Location from which to download updateable help HelpInfoURI = "https://go.microsoft.com/fwlink/?LinkId=826061"CompatiblePSEditions = @("Desktop", "Core")}## Module manifest for module 'WheaPolicyManagement'## Generated by: Microsoft Corporation## Generated on: 2/14/2011#@{# These modules will be processed when the module manifest is loaded.NestedModules = 'Microsoft.Windows.Whea.WheaMemoryPolicy'# This GUID is used to uniquely identify this module.GUID = 'b7bf4d74-f837-430e-810f-234f26021253'# The author of this module.Author = 'Microsoft Corporation'# The company or vendor for this module.CompanyName = 'Microsoft Corporation'# The copyright statement for this module.Copyright = ' Microsoft Corporation. All rights reserved.'# A description of this module (not be used because module manifest is not being localized).# Description = 'Whea WMI Module for Memory Policy'# The version of this module.ModuleVersion = '2.0.0.0'# The minimum version of PowerShell needed to use this module.PowerShellVersion = '5.1'# The CLR version required to use this module.CLRVersion = '4.0'# Request fwlink from UAHelpInfoUri="https://go.microsoft.com/fwlink/?linkid=390848"# Cmdlets to ExportCmdletsToExport="Get-WheaMemoryPolicy", "Set-WheaMemoryPolicy"# PowerShell editions this module is compatible withCompatiblePSEditions = @('Core', 'Desktop')}@{ GUID = "{4BC4DED7-249B-41AC-973F-83AF4D25D82B}" Author = "Microsoft Corporation" CompanyName = "Microsoft Corporation" Copyright = " Microsoft Corporation. All rights reserved." HelpInfoUri = "https://go.microsoft.com/fwlink/?linkid=390850" ModuleVersion = "1.0" PowerShellVersion = '5.1' ClrVersion = "4.0" RootModule = "WindowsErrorReporting.psm1" NestedModules = "Microsoft.WindowsErrorReporting.PowerShell.dll" TypesToProcess = @() FormatsToProcess = @() CmdletsToExport = @( 'Enable-WindowsErrorReporting', 'Disable-WindowsErrorReporting', 'Get-WindowsErrorReporting' ) AliasesToExport = @() CompatiblePSEditions = @('Desktop', 'Core')}@{GUID="{562C6233-EAEE-4876-B36C-D6B1F256D4E6}"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="1.0.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.WindowsSearch.Commands"HelpInfoUri= "https://go.microsoft.com/fwlink/?LinkId=280243"CmdletsToExport="Get-WindowsSearchSetting","Set-WindowsSearchSetting"CompatiblePSEditions=@("Core","Desktop")}## Module manifest fo

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random(4).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: random(4).exe, 00000000.00000003.1751682612.00000000053CA000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1752110267.0000000005395000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2139624194.00000000053E5000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2234968540.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347506230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: random(4).exe	Virustotal: Detection: 58%
Source: random(4).exe	ReversingLabs: Detection: 47%

Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random(4).exe

File read: C:\Users\user\Desktop\random(4).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random(4).exe "C:\Users\user\Desktop\random(4).exe"
Source: C:\Users\user\Desktop\random(4).exe	Process created: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe "C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe"
Source: C:\Users\user\Desktop\random(4).exe	Process created: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe "C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe"
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2192,i,12920997312320207026,11927117372627731275,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Process created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe "C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJDGIJJKE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\FIJDGIJJKE.exe "C:\Users\user\Documents\FIJDGIJJKE.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe "C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe"
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Process created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe "C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe "C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe"
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe "C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe"
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe "C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe "C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe "C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe "C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe "C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe "C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe"
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe "C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe"
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe"
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe "C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe"
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random(4).exe	Process created: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe "C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Process created: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe "C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJDGIJJKE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2192,i,12920997312320207026,11927117372627731275,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Documents\FIJDGIJJKE.exe "C:\Users\user\Documents\FIJDGIJJKE.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe "C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe "C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe "C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe "C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe "C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe "C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe "C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe "C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe "C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe "C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Process created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\FIJDGIJJKE.exe "C:\Users\user\Documents\FIJDGIJJKE.exe"
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Process created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm'
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random(4).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: kdscli.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Section loaded: apphelp.dll

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: random(4).exe

Static file information: File size 3151360 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: random(4).exe

Static PE information: Raw size of jimlxaop is bigger than: 0x100000 < 0x2ab800

Source:	Binary string: mozglue.pdbP source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347880042.000000006BF8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2348408685.000000006C14F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347880042.000000006BF8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: 943fedf78d.exe, 0000000D.00000000.2247461445.0000000000C8C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: database.pdbmain.pdbsetup.tar.gzAutoIt3_x64.exemsvcp140.dllucrtbase.dll source: 55c1ca23f1.exe, 00000012.00000003.2311940788.0000000002403000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Unpacked PE file: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack :EW;.rsrc:W;.idata :W;tjfrjgvc:EW;oeyaxygs:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tjfrjgvc:EW;oeyaxygs:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Unpacked PE file: 5.2.7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.230000.0.unpack :EW;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 14.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW;
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Unpacked PE file: 17.2.FIJDGIJJKE.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 21.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Unpacked PE file: 25.2.e13ae12563.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jzrbpplf:EW;qryisspl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jzrbpplf:EW;qryisspl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Unpacked PE file: 30.2.13f4808de9.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;whflkpvn:EW;esywlygt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;whflkpvn:EW;esywlygt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 32.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xqzoqyib:EW;ryeovcsc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Unpacked PE file: 33.2.334592f815.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W;tjfrjgvc:EW;oeyaxygs:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tjfrjgvc:EW;oeyaxygs:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Unpacked PE file: 36.2.8a0ebcc2e0.exe.ac0000.0.unpack :EW;.rsrc:W;.idata :W;sfopxnfq:EW;upkutmqu:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Unpacked PE file: 39.2.334592f815.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W;tjfrjgvc:EW;oeyaxygs:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tjfrjgvc:EW;oeyaxygs:EW;.taggant:EW;

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Anti Malware Scan Interface: frOmBASE64string('pVl7c+K4lv+7u6q/A5VK7U3vDlljAwlddas2IbweNsF2DPHkVkqWZGPwK34AZma++z0ypCMDmZndpXjpd6Sj89KRdHz5GIdOTJPkMaY2jWmAaeWflX9orkeD1MvbYZC6QUb/8e3rt692FuDUDYMKza2Vb4WbFC0rv337WoHX5ajzDAMvZl11dq
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Anti Malware Scan Interface: frOmBASE64string('pVl7c+K4lv+7u6q/A5VK7U3vDlljAwlddas2IbweNsF2DPHkVkqWZGPwK34AZma++z0ypCMDmZndpXjpd6Sj89KRdHz5GIdOTJPkMaY2jWmAaeWflX9orkeD1MvbYZC6QUb/8e3rt692FuDUDYMKza2Vb4WbFC0rv337WoHX5ajzDAMvZl11dq

Source: random[4].exe0.9.dr

Static PE information: 0xAAB116B5 [Thu Sep 30 01:13:25 2060 UTC]

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF773E0 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_6BF773E0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[2].exe0.9.dr	Static PE information: real checksum: 0x44e9da should be: 0x448f9d
Source: _raw_cast.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x7870
Source: FIJDGIJJKE.exe.4.dr	Static PE information: real checksum: 0x3203aa should be: 0x31cdd8
Source: e13ae12563.exe.9.dr	Static PE information: real checksum: 0x44e9da should be: 0x448f9d
Source: 334592f815.exe.9.dr	Static PE information: real checksum: 0x4fc5cd should be: 0x4f914d
Source: _raw_aesni.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xd2c3
Source: _modexp.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xdf94
Source: _pytransform.dll.22.dr	Static PE information: real checksum: 0x11edfe should be: 0x11dbef
Source: random[2].exe1.9.dr	Static PE information: real checksum: 0x147442 should be: 0x1ebf52
Source: 13f4808de9.exe.9.dr	Static PE information: real checksum: 0x4507bd should be: 0x4519af
Source: _strxor.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x10aad
Source: random(4).exe	Static PE information: real checksum: 0x30437c should be: 0x3041ab
Source: 75b25e676e.exe.9.dr	Static PE information: real checksum: 0x147442 should be: 0x1ebf52
Source: random[2].exe.4.dr	Static PE information: real checksum: 0x3203aa should be: 0x31cdd8
Source: _ARC4.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xc8ba
Source: _raw_des3.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x10195
Source: _cpuid_c.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xe2b6
Source: random[1].exe1.9.dr	Static PE information: real checksum: 0x147442 should be: 0x1ebf52
Source: _MD5.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x12225
Source: _SHA224.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x13d1f
Source: d76dd796e0.exe.9.dr	Static PE information: real checksum: 0x1daa09 should be: 0x1e617e
Source: random[3].exe0.9.dr	Static PE information: real checksum: 0x4507bd should be: 0x4519af
Source: 6319f0cc28.exe.9.dr	Static PE information: real checksum: 0x30437c should be: 0x3041ab
Source: _keccak.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xaf1b
Source: random[1].exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: random[4].exe0.9.dr	Static PE information: real checksum: 0x0 should be: 0x9001
Source: _raw_arc2.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x966e
Source: _MD2.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x110e3
Source: _raw_eksblowfish.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xc1e6
Source: random[3].exe2.9.dr	Static PE information: real checksum: 0x4fc5cd should be: 0x4f914d
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: real checksum: 0x4fc5cd should be: 0x4f914d
Source: _SHA256.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xa85b
Source: random[4].exe.9.dr	Static PE information: real checksum: 0x2a3436 should be: 0x299e6b
Source: _raw_cfb.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x9762
Source: win32ui.cp310-win_amd64.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x16a344
Source: 55c1ca23f1.exe.9.dr	Static PE information: real checksum: 0x147442 should be: 0x1ebf52
Source: _scrypt.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x80b5
Source: _Salsa20.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x3657
Source: _raw_des.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x124f2
Source: _raw_cbc.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x3a38
Source: _raw_ecb.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x4c1b
Source: 9ce3a8a3dc.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: _MD4.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x9fa9
Source: _RIPEMD160.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x6f18
Source: _raw_ocb.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x14299
Source: _poly1305.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xbea9
Source: random[3].exe1.9.dr	Static PE information: real checksum: 0x30437c should be: 0x3041ab
Source: _SHA1.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xbd05
Source: _SHA512.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xbd08
Source: _raw_aes.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x14e8f
Source: _raw_blowfish.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x11ec6
Source: _ghash_portable.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xa111
Source: _SHA384.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x100ff
Source: _ec_ws.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0xc5419
Source: _chacha20.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x741f
Source: ad8a3a5306.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x9001
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: real checksum: 0x2a3436 should be: 0x299e6b
Source: _BLAKE2b.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x864f
Source: _ghash_clmul.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x9c9d
Source: pywintypes310.dll.22.dr	Static PE information: real checksum: 0x0 should be: 0x2c30d
Source: _raw_ctr.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x46bb
Source: random[2].exe.9.dr	Static PE information: real checksum: 0x1daa09 should be: 0x1e617e
Source: _raw_ofb.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x727a
Source: pythoncom310.dll.22.dr	Static PE information: real checksum: 0x0 should be: 0x8ce57
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: real checksum: 0x3203aa should be: 0x31cdd8
Source: _BLAKE2s.pyd.22.dr	Static PE information: real checksum: 0x0 should be: 0x50f7
Source: skotes.exe.5.dr	Static PE information: real checksum: 0x3203aa should be: 0x31cdd8

Source: random(4).exe	Static PE information: section name:
Source: random(4).exe	Static PE information: section name: .idata
Source: random(4).exe	Static PE information: section name: jimlxaop
Source: random(4).exe	Static PE information: section name: lzmmbpyt
Source: random(4).exe	Static PE information: section name: .taggant
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name:
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name: .idata
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name: tjfrjgvc
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name: oeyaxygs
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe.0.dr	Static PE information: section name: .taggant
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name:
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name: .idata
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name: xqzoqyib
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name: ryeovcsc
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.4.dr	Static PE information: section name: .didat
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: random[2].exe.4.dr	Static PE information: section name:
Source: random[2].exe.4.dr	Static PE information: section name: .idata
Source: random[2].exe.4.dr	Static PE information: section name: xqzoqyib
Source: random[2].exe.4.dr	Static PE information: section name: ryeovcsc
Source: random[2].exe.4.dr	Static PE information: section name: .taggant
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name:
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name: .idata
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name: xqzoqyib
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name: ryeovcsc
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name: .taggant
Source: skotes.exe.5.dr	Static PE information: section name:
Source: skotes.exe.5.dr	Static PE information: section name: .idata
Source: skotes.exe.5.dr	Static PE information: section name: xqzoqyib
Source: skotes.exe.5.dr	Static PE information: section name: ryeovcsc
Source: skotes.exe.5.dr	Static PE information: section name: .taggant
Source: random[4].exe.9.dr	Static PE information: section name:
Source: random[4].exe.9.dr	Static PE information: section name: .idata
Source: random[4].exe.9.dr	Static PE information: section name: sfopxnfq
Source: random[4].exe.9.dr	Static PE information: section name: upkutmqu
Source: random[4].exe.9.dr	Static PE information: section name: .taggant
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name:
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name: .idata
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name: sfopxnfq
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name: upkutmqu
Source: 8a0ebcc2e0.exe.9.dr	Static PE information: section name: .taggant
Source: random[1].exe0.9.dr	Static PE information: section name: .fptable
Source: 943fedf78d.exe.9.dr	Static PE information: section name: .fptable
Source: random[2].exe.9.dr	Static PE information: section name:
Source: random[2].exe.9.dr	Static PE information: section name: .idata
Source: random[2].exe.9.dr	Static PE information: section name:
Source: random[2].exe.9.dr	Static PE information: section name: ytfdrfzx
Source: random[2].exe.9.dr	Static PE information: section name: suajkmtz
Source: random[2].exe.9.dr	Static PE information: section name: .taggant
Source: d76dd796e0.exe.9.dr	Static PE information: section name:
Source: d76dd796e0.exe.9.dr	Static PE information: section name: .idata
Source: d76dd796e0.exe.9.dr	Static PE information: section name:
Source: d76dd796e0.exe.9.dr	Static PE information: section name: ytfdrfzx
Source: d76dd796e0.exe.9.dr	Static PE information: section name: suajkmtz
Source: d76dd796e0.exe.9.dr	Static PE information: section name: .taggant
Source: random[2].exe0.9.dr	Static PE information: section name:
Source: random[2].exe0.9.dr	Static PE information: section name: .idata
Source: random[2].exe0.9.dr	Static PE information: section name:
Source: random[2].exe0.9.dr	Static PE information: section name: jzrbpplf
Source: random[2].exe0.9.dr	Static PE information: section name: qryisspl
Source: random[2].exe0.9.dr	Static PE information: section name: .taggant
Source: e13ae12563.exe.9.dr	Static PE information: section name:
Source: e13ae12563.exe.9.dr	Static PE information: section name: .idata
Source: e13ae12563.exe.9.dr	Static PE information: section name:
Source: e13ae12563.exe.9.dr	Static PE information: section name: jzrbpplf
Source: e13ae12563.exe.9.dr	Static PE information: section name: qryisspl
Source: e13ae12563.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name: .idata
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name: whflkpvn
Source: random[3].exe0.9.dr	Static PE information: section name: esywlygt
Source: random[3].exe0.9.dr	Static PE information: section name: .taggant
Source: 13f4808de9.exe.9.dr	Static PE information: section name:
Source: 13f4808de9.exe.9.dr	Static PE information: section name: .idata
Source: 13f4808de9.exe.9.dr	Static PE information: section name:
Source: 13f4808de9.exe.9.dr	Static PE information: section name: whflkpvn
Source: 13f4808de9.exe.9.dr	Static PE information: section name: esywlygt
Source: 13f4808de9.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe1.9.dr	Static PE information: section name:
Source: random[3].exe1.9.dr	Static PE information: section name: .idata
Source: random[3].exe1.9.dr	Static PE information: section name: jimlxaop
Source: random[3].exe1.9.dr	Static PE information: section name: lzmmbpyt
Source: random[3].exe1.9.dr	Static PE information: section name: .taggant
Source: 6319f0cc28.exe.9.dr	Static PE information: section name:
Source: 6319f0cc28.exe.9.dr	Static PE information: section name: .idata
Source: 6319f0cc28.exe.9.dr	Static PE information: section name: jimlxaop
Source: 6319f0cc28.exe.9.dr	Static PE information: section name: lzmmbpyt
Source: 6319f0cc28.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe2.9.dr	Static PE information: section name:
Source: random[3].exe2.9.dr	Static PE information: section name: .idata
Source: random[3].exe2.9.dr	Static PE information: section name: tjfrjgvc
Source: random[3].exe2.9.dr	Static PE information: section name: oeyaxygs
Source: random[3].exe2.9.dr	Static PE information: section name: .taggant
Source: 334592f815.exe.9.dr	Static PE information: section name:
Source: 334592f815.exe.9.dr	Static PE information: section name: .idata
Source: 334592f815.exe.9.dr	Static PE information: section name: tjfrjgvc
Source: 334592f815.exe.9.dr	Static PE information: section name: oeyaxygs
Source: 334592f815.exe.9.dr	Static PE information: section name: .taggant
Source: mfc140u.dll.22.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.22.dr	Static PE information: section name: _RDATA
Source: _pytransform.dll.22.dr	Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.22.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.22.dr	Static PE information: section name: .00cfg
Source: python310.dll.22.dr	Static PE information: section name: PyRuntim

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF4B536 push ecx; ret	4_2_6BF4B549
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_0024D91C push ecx; ret	5_2_0024D92F
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_00241359 push es; ret	5_2_0024135A
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00838287 push esi; iretd	10_2_00838288
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_0080E75A push ecx; ret	10_2_0080E76D

Source: random(4).exe	Static PE information: section name: entropy: 7.09048271708439
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.0.dr	Static PE information: section name: entropy: 7.172018160610141
Source: random[2].exe.4.dr	Static PE information: section name: entropy: 7.172018160610141
Source: FIJDGIJJKE.exe.4.dr	Static PE information: section name: entropy: 7.172018160610141
Source: skotes.exe.5.dr	Static PE information: section name: entropy: 7.172018160610141
Source: random[2].exe.9.dr	Static PE information: section name: ytfdrfzx entropy: 7.9478166443730345
Source: d76dd796e0.exe.9.dr	Static PE information: section name: ytfdrfzx entropy: 7.9478166443730345
Source: random[2].exe0.9.dr	Static PE information: section name: jzrbpplf entropy: 7.956572353209662
Source: e13ae12563.exe.9.dr	Static PE information: section name: jzrbpplf entropy: 7.956572353209662
Source: random[3].exe0.9.dr	Static PE information: section name: whflkpvn entropy: 7.955966555987466
Source: 13f4808de9.exe.9.dr	Static PE information: section name: whflkpvn entropy: 7.955966555987466
Source: random[3].exe1.9.dr	Static PE information: section name: entropy: 7.09048271708439
Source: 6319f0cc28.exe.9.dr	Static PE information: section name: entropy: 7.09048271708439

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

File created: C:\Users\user\Documents\FIJDGIJJKE.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_pytransform.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin\win32ui.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random(4).exe	File created: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\Documents\FIJDGIJJKE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.001\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\win32\win32api.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.001\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random(4).exe	File created: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\win32\win32trace.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\win32\_win32sysloader.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.001\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_overlapped.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a48f6ed5ed.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 334592f815.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a0ebcc2e0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6319f0cc28.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6319f0cc28.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6319f0cc28.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 334592f815.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 334592f815.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a48f6ed5ed.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a48f6ed5ed.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a0ebcc2e0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a0ebcc2e0.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF755F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6BF755F0

Source: C:\Users\user\Desktop\random(4).exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random(4).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random(4).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random(4).exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random(4).exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 719557 second address: 71955B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 71955B second address: 718D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0264BBFB18h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D35FBh], ebx 0x00000016 push dword ptr [ebp+122D0B49h] 0x0000001c mov dword ptr [ebp+122D3856h], edx 0x00000022 call dword ptr [ebp+122D2A95h] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D3560h], edx 0x0000002f xor eax, eax 0x00000031 add dword ptr [ebp+122D1CCCh], ecx 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007F0264BBFB1Bh 0x00000040 jmp 00007F0264BBFB22h 0x00000045 mov dword ptr [ebp+122D2E4Fh], eax 0x0000004b mov dword ptr [ebp+122D3560h], esi 0x00000051 mov esi, 0000003Ch 0x00000056 xor dword ptr [ebp+122D3160h], edx 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D3560h], edx 0x00000066 lodsw 0x00000068 cmc 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d sub dword ptr [ebp+122D1CCCh], esi 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 pushad 0x00000078 mov dword ptr [ebp+122D3560h], esi 0x0000007e and edx, dword ptr [ebp+122D2ED7h] 0x00000084 popad 0x00000085 push eax 0x00000086 push eax 0x00000087 push edx 0x00000088 push ecx 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 718D7C second address: 718D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8918E1 second address: 8918EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8815D4 second address: 8815DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8815DF second address: 8815EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8815EA second address: 8815F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0264E84AC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8815F4 second address: 88162C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0264BBFB16h 0x00000008 jmp 00007F0264BBFB1Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0264BBFB27h 0x00000016 jne 00007F0264BBFB16h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 88162C second address: 881630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 890C43 second address: 890C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 890C47 second address: 890C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 890C4B second address: 890C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 890C53 second address: 890C61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0264E84AC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 891238 second address: 891243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 891243 second address: 891248 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 893FD4 second address: 718D7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0264BBFB16h 0x00000009 jmp 00007F0264BBFB25h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 57B282EDh 0x00000018 push dword ptr [ebp+122D0B49h] 0x0000001e mov esi, eax 0x00000020 call dword ptr [ebp+122D2A95h] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D3560h], edx 0x0000002d xor eax, eax 0x0000002f add dword ptr [ebp+122D1CCCh], ecx 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 jmp 00007F0264BBFB1Bh 0x0000003e jmp 00007F0264BBFB22h 0x00000043 mov dword ptr [ebp+122D2E4Fh], eax 0x00000049 mov dword ptr [ebp+122D3560h], esi 0x0000004f mov esi, 0000003Ch 0x00000054 xor dword ptr [ebp+122D3160h], edx 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e mov dword ptr [ebp+122D3560h], edx 0x00000064 lodsw 0x00000066 cmc 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b sub dword ptr [ebp+122D1CCCh], esi 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 pushad 0x00000076 mov dword ptr [ebp+122D3560h], esi 0x0000007c and edx, dword ptr [ebp+122D2ED7h] 0x00000082 popad 0x00000083 push eax 0x00000084 push eax 0x00000085 push edx 0x00000086 push ecx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 89407D second address: 8940C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add dword ptr [esp], 677B2E51h 0x0000000e mov dword ptr [ebp+122D1CD3h], ecx 0x00000014 push 00000003h 0x00000016 mov dx, E87Ah 0x0000001a call 00007F0264E84ACBh 0x0000001f mov cl, E4h 0x00000021 pop ecx 0x00000022 push 00000000h 0x00000024 mov edx, dword ptr [ebp+122D2F93h] 0x0000002a mov ecx, eax 0x0000002c push 00000003h 0x0000002e mov dword ptr [ebp+122D35DEh], eax 0x00000034 push 4167E353h 0x00000039 push edi 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8940C0 second address: 8940C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8940C6 second address: 89410E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 add dword ptr [esp], 7E981CADh 0x0000000d mov edi, dword ptr [ebp+122D2F1Bh] 0x00000013 lea ebx, dword ptr [ebp+1244EF31h] 0x00000019 mov dword ptr [ebp+122D3812h], eax 0x0000001f jmp 00007F0264E84AD8h 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 pushad 0x00000027 push edx 0x00000028 pop edx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c pushad 0x0000002d jne 00007F0264E84AC6h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 894320 second address: 894379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0264BBFB1Ah 0x00000008 jng 00007F0264BBFB16h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jng 00007F0264BBFB2Dh 0x0000001a push 00000000h 0x0000001c sub dword ptr [ebp+122D35DEh], ebx 0x00000022 push 5914D695h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F0264BBFB24h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 894379 second address: 89437F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 89437F second address: 894383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 894383 second address: 894387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B4E27 second address: 8B4E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB29h 0x00000007 jmp 00007F0264BBFB28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B2E60 second address: 8B2E67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B2E67 second address: 8B2E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B3364 second address: 8B3368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B3368 second address: 8B338E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F0264BBFB16h 0x0000000f pop edi 0x00000010 jbe 00007F0264BBFB1Eh 0x00000016 jns 00007F0264BBFB16h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 pop esi 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B34E4 second address: 8B34EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B34EA second address: 8B34EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B34EE second address: 8B34F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B34F6 second address: 8B355C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0264BBFB3Fh 0x00000008 jmp 00007F0264BBFB1Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F0264BBFB29h 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F0264BBFB16h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B39A1 second address: 8B39C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84ACCh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b je 00007F0264E84AD6h 0x00000011 jmp 00007F0264E84ACAh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 889CC5 second address: 889CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 889CCB second address: 889CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0264E84ACDh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B3F56 second address: 8B3F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B3F5E second address: 8B3F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0264E84AD4h 0x0000000b jmp 00007F0264E84ACDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B44FD second address: 8B4501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B4501 second address: 8B4521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACBh 0x00000007 jmp 00007F0264E84AD1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B482B second address: 8B4835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B4835 second address: 8B483B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B483B second address: 8B483F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B483F second address: 8B484B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0264E84AC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B49C9 second address: 8B49CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B49CD second address: 8B49D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B71D6 second address: 8B71DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B71DC second address: 8B71E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8B71E0 second address: 8B71FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0264BBFB27h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8BD35D second address: 8BD373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8BC3FA second address: 8BC402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C1796 second address: 8C179A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C179A second address: 8C17AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0264BBFB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C17AC second address: 8C17B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C0DAF second address: 8C0DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB24h 0x00000007 je 00007F0264BBFB16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C0DD1 second address: 8C0DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C0DD7 second address: 8C0DE1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0264BBFB16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C1604 second address: 8C1608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C1608 second address: 8C160E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C160E second address: 8C161E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0264E84ACAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C161E second address: 8C1638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F0264BBFB23h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C2689 second address: 8C26A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C29B2 second address: 8C29B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C2B52 second address: 8C2B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C330D second address: 8C333B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0264BBFB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F0264BBFB16h 0x00000011 jnl 00007F0264BBFB16h 0x00000017 popad 0x00000018 popad 0x00000019 mov dword ptr [esp], ebx 0x0000001c push ecx 0x0000001d mov dword ptr [ebp+122D37D7h], ecx 0x00000023 pop edi 0x00000024 push eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jl 00007F0264BBFB16h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C333B second address: 8C333F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C342E second address: 8C3438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0264BBFB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C3E26 second address: 8C3E46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F0264E84AC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C4759 second address: 8C4763 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0264BBFB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C4763 second address: 8C4779 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F0264E84AC6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e jng 00007F0264E84ACCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C6414 second address: 8C6418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C6418 second address: 8C646E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 add esi, 1CD54300h 0x0000000e pushad 0x0000000f mov edi, 5DFE3905h 0x00000014 push ebx 0x00000015 mov dword ptr [ebp+122D3C4Dh], edx 0x0000001b pop ebx 0x0000001c popad 0x0000001d push 00000000h 0x0000001f sub dword ptr [ebp+122D316Dh], edx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F0264E84AC8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 movzx edi, di 0x00000044 push eax 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F0264E84ACBh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C6FFB second address: 8C6FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C797B second address: 8C7980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C7980 second address: 8C79EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F0264BBFB24h 0x00000010 push 00000000h 0x00000012 mov di, CD04h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F0264BBFB18h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D3734h], ebx 0x00000038 sub dword ptr [ebp+1247A045h], eax 0x0000003e xchg eax, ebx 0x0000003f jmp 00007F0264BBFB1Ch 0x00000044 push eax 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C79EA second address: 8C79EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C7765 second address: 8C776B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C79EE second address: 8C79F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C8F4D second address: 8C8F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C8F52 second address: 8C8FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c je 00007F0264E84ACCh 0x00000012 sub dword ptr [ebp+122D3C5Ah], eax 0x00000018 mov edi, ecx 0x0000001a push 00000000h 0x0000001c mov esi, 3E55EA99h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F0264E84AC8h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C8FA8 second address: 8C8FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CD2B9 second address: 8CD2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CD2BD second address: 8CD2C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CD2C8 second address: 8CD306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84AD9h 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e jnl 00007F0264E84AD2h 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F0264E84AC6h 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CE3E0 second address: 8CE3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F0264BBFB16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CE3F1 second address: 8CE401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CE6BB second address: 8CE6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CE6BF second address: 8CE6C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D0859 second address: 8D086C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D159B second address: 8D159F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D159F second address: 8D1614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F0264BBFB18h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov ebx, 4FCCEA00h 0x00000027 push 00000000h 0x00000029 stc 0x0000002a mov dword ptr [ebp+124799DCh], edx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F0264BBFB18h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov dword ptr [ebp+1244F31Eh], esi 0x00000052 mov di, 4F00h 0x00000056 xchg eax, esi 0x00000057 jg 00007F0264BBFB22h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 push eax 0x00000062 pop eax 0x00000063 pop edi 0x00000064 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D26E5 second address: 8D2704 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F0264E84AC6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007F0264E84ACEh 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D88D3 second address: 8D88EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0264BBFB25h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DA86D second address: 8DA871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D7C23 second address: 8D7C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0264BBFB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D8B06 second address: 8D8B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8D6A63 second address: 8D6A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DAAB0 second address: 8DAAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DBB38 second address: 8DBB3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DBB3E second address: 8DBB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0264E84AC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DCB5E second address: 8DCB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DBCC3 second address: 8DBCDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DBCDF second address: 8DBCE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DCD56 second address: 8DCD60 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0264E84AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8DCD60 second address: 8DCD88 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F0264BBFB16h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F0264BBFB29h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8E6E09 second address: 8E6E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8E6E0D second address: 8E6E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8E6E13 second address: 8E6E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F0264E84AC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8E6E24 second address: 8E6E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0264BBFB25h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8E6E41 second address: 8E6E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F0264E84AC6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8E699C second address: 8E69A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EC418 second address: 8EC41C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EC41C second address: 8EC422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EC422 second address: 8EC428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EC428 second address: 8EC42C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EF743 second address: 8EF74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EF74B second address: 8EF751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EF751 second address: 8EF771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84AD1h 0x00000009 jp 00007F0264E84AC6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8EF771 second address: 8EF775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F3F3F second address: 8F3F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F3F45 second address: 8F3F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264BBFB1Eh 0x00000009 popad 0x0000000a js 00007F0264BBFB2Ch 0x00000010 jmp 00007F0264BBFB26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F40D2 second address: 8F40D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F40D9 second address: 8F40E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F4672 second address: 8F468F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jno 00007F0264E84AC6h 0x0000000f popad 0x00000010 jnc 00007F0264E84AC8h 0x00000016 popad 0x00000017 push eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F8E59 second address: 8F8E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F8E5D second address: 8F8E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F8E63 second address: 8F8E6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007F0264BBFB16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F93B0 second address: 8F93BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0264E84AC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F93BC second address: 8F93DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0264BBFB27h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F93DB second address: 8F93ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0264E84AC6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F93ED second address: 8F93F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F93F1 second address: 8F93F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F93F7 second address: 8F93FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9585 second address: 8F9589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F97DD second address: 8F97EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0264BBFB16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F97EB second address: 8F97EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F97EF second address: 8F97F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F97F9 second address: 8F97FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9AB6 second address: 8F9AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264BBFB1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9C51 second address: 8F9C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9C57 second address: 8F9C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9C5B second address: 8F9C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9C5F second address: 8F9C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8F9DD3 second address: 8F9DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F0264E84ACEh 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F0264E84AC6h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8AB83D second address: 8AB842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8FA200 second address: 8FA21C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F0264E84AD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9009C6 second address: 9009EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c jno 00007F0264BBFB16h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0264BBFB24h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA064 second address: 8CA068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA068 second address: 8CA0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, dword ptr [ebp+122D2F53h] 0x0000000f lea eax, dword ptr [ebp+12484DECh] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F0264BBFB18h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 jo 00007F0264BBFB16h 0x00000039 pop edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA0AC second address: 8CA0C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0264E84ACCh 0x00000008 jns 00007F0264E84AC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F0264E84AC8h 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA1EE second address: 8CA2B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0264BBFB22h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F0264BBFB25h 0x00000013 xchg eax, ebx 0x00000014 mov ecx, edi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov dx, cx 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 ja 00007F0264BBFB1Ah 0x0000002d push esi 0x0000002e mov dh, D1h 0x00000030 pop edi 0x00000031 mov dword ptr [ebp+12484E44h], esp 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F0264BBFB18h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 sub ecx, 7562C0BFh 0x00000057 mov edx, dword ptr [ebp+122D39A4h] 0x0000005d cmp dword ptr [ebp+122D30E7h], 00000000h 0x00000064 jne 00007F0264BBFC16h 0x0000006a je 00007F0264BBFB1Ch 0x00000070 mov byte ptr [ebp+122D3188h], 00000047h 0x00000077 mov di, 45DCh 0x0000007b mov eax, D49AA7D2h 0x00000080 mov edi, dword ptr [ebp+122D30E7h] 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 pushad 0x0000008a pushad 0x0000008b popad 0x0000008c jmp 00007F0264BBFB20h 0x00000091 popad 0x00000092 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA2B8 second address: 8CA2CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F0264E84ACAh 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA64D second address: 8CA651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA651 second address: 8CA655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA655 second address: 718D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F0264BBFB18h 0x0000000c popad 0x0000000d nop 0x0000000e movzx edi, bx 0x00000011 push dword ptr [ebp+122D0B49h] 0x00000017 call dword ptr [ebp+122D2A95h] 0x0000001d pushad 0x0000001e mov dword ptr [ebp+122D3560h], edx 0x00000024 xor eax, eax 0x00000026 add dword ptr [ebp+122D1CCCh], ecx 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 jmp 00007F0264BBFB1Bh 0x00000035 jmp 00007F0264BBFB22h 0x0000003a mov dword ptr [ebp+122D2E4Fh], eax 0x00000040 mov dword ptr [ebp+122D3560h], esi 0x00000046 mov esi, 0000003Ch 0x0000004b xor dword ptr [ebp+122D3160h], edx 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 mov dword ptr [ebp+122D3560h], edx 0x0000005b lodsw 0x0000005d cmc 0x0000005e add eax, dword ptr [esp+24h] 0x00000062 sub dword ptr [ebp+122D1CCCh], esi 0x00000068 mov ebx, dword ptr [esp+24h] 0x0000006c pushad 0x0000006d mov dword ptr [ebp+122D3560h], esi 0x00000073 and edx, dword ptr [ebp+122D2ED7h] 0x00000079 popad 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d push ecx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA7DE second address: 8CA7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA821 second address: 8CA825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA825 second address: 8CA82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA82B second address: 8CA836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0264BBFB16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CA836 second address: 8CA876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F0264E84ACFh 0x0000000d xchg eax, esi 0x0000000e cld 0x0000000f sub dword ptr [ebp+124679A9h], ecx 0x00000015 nop 0x00000016 jmp 00007F0264E84AD9h 0x0000001b push eax 0x0000001c push ecx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CAF44 second address: 8CAF4E instructions: 0x00000000 rdtsc 0x00000002 js 00007F0264BBFB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CAF4E second address: 8CAFC3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0264E84AC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 je 00007F0264E84ACCh 0x00000016 popad 0x00000017 nop 0x00000018 call 00007F0264E84AD3h 0x0000001d jnc 00007F0264E84AD3h 0x00000023 pop edi 0x00000024 push 0000001Eh 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F0264E84AC8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D3AE2h], eax 0x00000046 nop 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a push ebx 0x0000004b pop ebx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CAFC3 second address: 8CAFE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CB4F6 second address: 8CB4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CB4FB second address: 8CB515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0264BBFB25h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CB515 second address: 8AB83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 or dword ptr [ebp+122D2AC6h], eax 0x0000000e lea eax, dword ptr [ebp+12484DECh] 0x00000014 mov dx, A767h 0x00000018 push eax 0x00000019 push esi 0x0000001a jmp 00007F0264E84ACBh 0x0000001f pop esi 0x00000020 mov dword ptr [esp], eax 0x00000023 and di, 163Fh 0x00000028 call dword ptr [ebp+122D37E2h] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push edx 0x00000032 pop edx 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 pop eax 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8FFDAF second address: 8FFDB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 87DFE4 second address: 87E034 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0264E84AD3h 0x00000010 jng 00007F0264E84AD7h 0x00000016 jmp 00007F0264E84ACFh 0x0000001b push edx 0x0000001c pop edx 0x0000001d jng 00007F0264E84ACEh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9050E9 second address: 9050ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9050ED second address: 905122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84AD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0264E84ACCh 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jnc 00007F0264E84AC6h 0x00000019 pop edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 905122 second address: 905128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 905704 second address: 905718 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F0264E84AC6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0264E84AC6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 905718 second address: 90571C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 905846 second address: 90584A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90584A second address: 90585C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0264BBFB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jns 00007F0264BBFB16h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90585C second address: 905867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 905867 second address: 905875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F0264BBFB16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 904DB3 second address: 904DB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 904DB8 second address: 904DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0264BBFB26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 905DB5 second address: 905DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90606C second address: 906084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 906084 second address: 906088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 906088 second address: 90609A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jc 00007F0264BBFB24h 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90609A second address: 9060A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90E47C second address: 90E482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90E482 second address: 90E486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90E486 second address: 90E4A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB21h 0x00000007 jc 00007F0264BBFB16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90E4A4 second address: 90E4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007F0264E84AC6h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 90E645 second address: 90E67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F0264BBFB2Eh 0x0000000b jmp 00007F0264BBFB28h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F0264BBFB1Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 911BC1 second address: 911BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84ACDh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 916F7E second address: 916F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 916F82 second address: 916F88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 916F88 second address: 916F93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F0264BBFB16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 917261 second address: 917266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 917266 second address: 91726D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9173B4 second address: 917400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F0264E84ACBh 0x00000014 popad 0x00000015 jg 00007F0264E84AFDh 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push edi 0x0000001f pop edi 0x00000020 jmp 00007F0264E84AD7h 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0264E84ACCh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 917400 second address: 917404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 917505 second address: 917509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 917509 second address: 917542 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F0264BBFB22h 0x0000000e pushad 0x0000000f jmp 00007F0264BBFB22h 0x00000014 jbe 00007F0264BBFB16h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8CAF68 second address: 8CAFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 call 00007F0264E84AD3h 0x0000000b jnc 00007F0264E84AD3h 0x00000011 pop edi 0x00000012 push 0000001Eh 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F0264E84AC8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D3AE2h], eax 0x00000034 nop 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push ebx 0x00000039 pop ebx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 918424 second address: 91842B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 91842B second address: 918441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0264E84AC6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jl 00007F0264E84AC6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 918441 second address: 918445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 91C9EB second address: 91C9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0264E84AC6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 91C9F9 second address: 91CA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0264BBFB16h 0x00000014 jns 00007F0264BBFB16h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 92083A second address: 920840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 920840 second address: 920844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 920844 second address: 920857 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 920112 second address: 920116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 920116 second address: 920149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84AD4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0264E84AD7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 920149 second address: 92014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 920508 second address: 920511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9261ED second address: 9261F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9261F1 second address: 926206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84ACBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926206 second address: 926231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0264BBFB1Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jnp 00007F0264BBFB16h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926231 second address: 926244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926244 second address: 92624A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9263A6 second address: 9263AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9263AE second address: 9263B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926515 second address: 926519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926A5F second address: 926A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926A63 second address: 926A80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F0264E84AC8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F0264E84ACCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926A80 second address: 926A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926A85 second address: 926A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926D1F second address: 926D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0264BBFB16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926D2E second address: 926D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926D34 second address: 926D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 926D38 second address: 926D44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 927297 second address: 9272BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jng 00007F0264BBFB18h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0264BBFB23h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9272BC second address: 9272C8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0264E84ACEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9272C8 second address: 9272D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F0264BBFB16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9272D4 second address: 9272D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 92D921 second address: 92D925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 92D925 second address: 92D942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F0264E84AD1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 92D942 second address: 92D948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 88B754 second address: 88B764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACBh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 88B764 second address: 88B76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 930B5B second address: 930B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push esi 0x00000007 push ecx 0x00000008 jbe 00007F0264E84AC6h 0x0000000e pop ecx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 930E2C second address: 930E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0264BBFB20h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jns 00007F0264BBFB16h 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a jns 00007F0264BBFB1Ch 0x00000020 pushad 0x00000021 jbe 00007F0264BBFB16h 0x00000027 js 00007F0264BBFB16h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 930E6C second address: 930E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 930E77 second address: 930E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 930FE8 second address: 930FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 930FEC second address: 930FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9312C2 second address: 9312D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9312D0 second address: 9312D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 931442 second address: 931446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 931446 second address: 931465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0264BBFB27h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 931465 second address: 931469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 931469 second address: 93147E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 js 00007F0264BBFB16h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93A959 second address: 93A976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F0264E84ACBh 0x0000000c pop eax 0x0000000d jc 00007F0264E84AE2h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93A976 second address: 93A980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0264BBFB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93A980 second address: 93A989 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93AF76 second address: 93AF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0264BBFB16h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93B247 second address: 93B253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0264E84AC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93B253 second address: 93B257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93B257 second address: 93B25B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93B3B4 second address: 93B3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pushad 0x00000007 jmp 00007F0264BBFB29h 0x0000000c jng 00007F0264BBFB16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93B814 second address: 93B81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93C6BA second address: 93C6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264BBFB1Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F0264BBFB22h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93C6E2 second address: 93C6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93C6E8 second address: 93C6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93C6EC second address: 93C700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0264E84AC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F0264E84ACEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93A508 second address: 93A511 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 93A511 second address: 93A517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9439DF second address: 9439EF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0264BBFB16h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9439EF second address: 9439F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 95267A second address: 95268F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 95268F second address: 952693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 954A01 second address: 954A20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F0264BBFB1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jns 00007F0264BBFB16h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 954A20 second address: 954A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 960C02 second address: 960C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 960C06 second address: 960C1F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0264E84AC6h 0x00000008 jmp 00007F0264E84ACFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 964A8F second address: 964A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 964918 second address: 96491C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 96491C second address: 964926 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 970943 second address: 97094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 972C33 second address: 972C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 972C37 second address: 972C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 972C3D second address: 972C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F0264BBFB1Ah 0x0000000d jmp 00007F0264BBFB21h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F0264BBFB16h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 979561 second address: 979576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0264E84ACBh 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 977EAB second address: 977EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 977FF5 second address: 978006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0264E84ACCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 978006 second address: 978016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0264BBFB16h 0x0000000a jno 00007F0264BBFB16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 978016 second address: 97801A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9781C8 second address: 9781CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9781CE second address: 9781D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9781D2 second address: 9781E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jo 00007F0264BBFB2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 978608 second address: 97862D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0264E84AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0264E84AD2h 0x0000000f pushad 0x00000010 ja 00007F0264E84AC6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97862D second address: 978635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 978772 second address: 978776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97D14F second address: 97D153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97D153 second address: 97D15B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97D15B second address: 97D161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97D161 second address: 97D167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97D167 second address: 97D16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97D16B second address: 97D17B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F0264E84AC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 97CE77 second address: 97CE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9895C4 second address: 989622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F0264E84AD4h 0x0000000b push edi 0x0000000c jmp 00007F0264E84AD2h 0x00000011 jno 00007F0264E84AC6h 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007F0264E84AD7h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 pushad 0x00000029 push edx 0x0000002a pop edx 0x0000002b pushad 0x0000002c popad 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 989622 second address: 989628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 989628 second address: 989632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0264E84AC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 99A6A1 second address: 99A6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AE973 second address: 9AE9B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0264E84ACAh 0x00000011 jmp 00007F0264E84AD9h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AE9B5 second address: 9AE9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Fh 0x00000007 jl 00007F0264BBFB1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AEC97 second address: 9AEC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AEC9D second address: 9AECA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AECA1 second address: 9AECAE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AECAE second address: 9AECDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0264BBFB16h 0x0000000a jmp 00007F0264BBFB25h 0x0000000f popad 0x00000010 jmp 00007F0264BBFB1Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AECDC second address: 9AECE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AECE2 second address: 9AECE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF138 second address: 9AF140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF140 second address: 9AF146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF26D second address: 9AF271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF271 second address: 9AF27C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF27C second address: 9AF2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0264E84AD2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0264E84AD4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF671 second address: 9AF685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F0264BBFB16h 0x0000000c jo 00007F0264BBFB16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9AF685 second address: 9AF6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0264E84ACBh 0x0000000c jmp 00007F0264E84AD7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B23D6 second address: 9B23E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0264BBFB1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B2671 second address: 9B2675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B2675 second address: 9B267B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B267B second address: 9B2680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B2680 second address: 9B2686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B3C29 second address: 9B3C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B3C2F second address: 9B3C67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0264BBFB29h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B5A55 second address: 9B5A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84ACCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B5A65 second address: 9B5A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B5506 second address: 9B550A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B7654 second address: 9B7671 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0264BBFB28h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B7671 second address: 9B7691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0264E84AD9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B7691 second address: 9B7695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B7695 second address: 9B76AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007F0264E84AC6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 9B76AA second address: 9B76AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 8C52C1 second address: 8C52D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jo 00007F0264E84AC8h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A50408 second address: 4A5041F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A5041F second address: 4A50424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A50424 second address: 4A5042A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A5042A second address: 4A5042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A5042E second address: 4A50486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov eax, edi 0x0000000c pushfd 0x0000000d jmp 00007F0264BBFB25h 0x00000012 add eax, 7049B836h 0x00000018 jmp 00007F0264BBFB21h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0264BBFB28h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A50486 second address: 4A5048C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A5048C second address: 4A504BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov edx, 7A37F4CCh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007F0264BBFB1Bh 0x00000015 mov edx, dword ptr [ebp+0Ch] 0x00000018 pushad 0x00000019 mov bx, ax 0x0000001c mov dx, cx 0x0000001f popad 0x00000020 mov ecx, dword ptr [ebp+08h] 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 movzx eax, dx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A8071A second address: 4A8071E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A8071E second address: 4A80724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80724 second address: 4A807E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 1505h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F0264E84AD0h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0264E84ACEh 0x00000019 add cx, 82C8h 0x0000001e jmp 00007F0264E84ACBh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F0264E84AD8h 0x0000002a and ax, 0528h 0x0000002f jmp 00007F0264E84ACBh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 jmp 00007F0264E84AD6h 0x0000003c push eax 0x0000003d jmp 00007F0264E84ACBh 0x00000042 xchg eax, ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F0264E84ACBh 0x0000004c sub si, 8BCEh 0x00000051 jmp 00007F0264E84AD9h 0x00000056 popfd 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A807E2 second address: 4A80812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 call 00007F0264BBFB1Ch 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80812 second address: 4A8082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0264E84AD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A8082D second address: 4A80875 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0264BBFB21h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F0264BBFB1Eh 0x00000017 lea eax, dword ptr [ebp-04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80875 second address: 4A8087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, DEAEh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A8087E second address: 4A8088D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0264BBFB1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A8088D second address: 4A80891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80891 second address: 4A808A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A808A0 second address: 4A808A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A808A4 second address: 4A808AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A808AA second address: 4A808D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0264E84AD4h 0x00000009 xor si, 9B58h 0x0000000e jmp 00007F0264E84ACBh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A8093E second address: 4A809B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F0264BBFB1Eh 0x00000012 mov esi, eax 0x00000014 pushad 0x00000015 movzx ecx, bx 0x00000018 mov ebx, 1C7F3EEEh 0x0000001d popad 0x0000001e je 00007F0264BBFBABh 0x00000024 pushad 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F0264BBFB1Eh 0x0000002c or ch, 00000038h 0x0000002f jmp 00007F0264BBFB1Bh 0x00000034 popfd 0x00000035 pop esi 0x00000036 push eax 0x00000037 push edx 0x00000038 call 00007F0264BBFB1Fh 0x0000003d pop eax 0x0000003e rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80A40 second address: 4A80A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80A46 second address: 4A80A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80A4C second address: 4A80A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80A50 second address: 4A80A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0264BBFB1Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80A7D second address: 4A80A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80A83 second address: 4A7002F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 cmp eax, 00000000h 0x00000013 setne al 0x00000016 xor ebx, ebx 0x00000018 test al, 01h 0x0000001a jne 00007F0264BBFB17h 0x0000001c mov dword ptr [esp], 0000000Dh 0x00000023 call 00007F0268F3CD6Fh 0x00000028 mov edi, edi 0x0000002a pushad 0x0000002b mov cl, 17h 0x0000002d jmp 00007F0264BBFB21h 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 pushad 0x00000035 mov edx, eax 0x00000037 push esi 0x00000038 push ebx 0x00000039 pop esi 0x0000003a pop edi 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F0264BBFB1Ch 0x00000044 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7002F second address: 4A7010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0264E84AD6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov bh, al 0x00000014 pushfd 0x00000015 jmp 00007F0264E84AD3h 0x0000001a xor eax, 379039BEh 0x00000020 jmp 00007F0264E84AD9h 0x00000025 popfd 0x00000026 popad 0x00000027 sub esp, 2Ch 0x0000002a pushad 0x0000002b jmp 00007F0264E84ACCh 0x00000030 pushfd 0x00000031 jmp 00007F0264E84AD2h 0x00000036 or ax, E9E8h 0x0000003b jmp 00007F0264E84ACBh 0x00000040 popfd 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 mov bx, ax 0x00000047 push esi 0x00000048 pushfd 0x00000049 jmp 00007F0264E84AD7h 0x0000004e and ax, 69DEh 0x00000053 jmp 00007F0264E84AD9h 0x00000058 popfd 0x00000059 pop ecx 0x0000005a popad 0x0000005b push eax 0x0000005c pushad 0x0000005d mov ebx, ecx 0x0000005f push esi 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7010A second address: 4A7014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 pushad 0x00000008 mov ax, 676Dh 0x0000000c pushfd 0x0000000d jmp 00007F0264BBFB1Ah 0x00000012 and ecx, 6B50B108h 0x00000018 jmp 00007F0264BBFB1Bh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0264BBFB25h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7014C second address: 4A70168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70168 second address: 4A7016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A701BB second address: 4A701CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A701CF second address: 4A701D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A701D4 second address: 4A70270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0264E84ACBh 0x00000009 or cx, BF7Eh 0x0000000e jmp 00007F0264E84AD9h 0x00000013 popfd 0x00000014 mov si, 95C7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b sub edi, edi 0x0000001d jmp 00007F0264E84AD3h 0x00000022 inc ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0264E84ACBh 0x0000002c add cx, 1A3Eh 0x00000031 jmp 00007F0264E84AD9h 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007F0264E84AD0h 0x0000003d and si, 7F38h 0x00000042 jmp 00007F0264E84ACBh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70270 second address: 4A7029E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0264BBFB1Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7029E second address: 4A702DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0264E84C1Ah 0x0000000f pushad 0x00000010 movzx eax, bx 0x00000013 mov bh, 27h 0x00000015 popad 0x00000016 lea ecx, dword ptr [ebp-14h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0264E84AD7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A703BE second address: 4A703C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A703C4 second address: 4A7042F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F0264E84B01h 0x0000000e pushad 0x0000000f mov dx, 36F8h 0x00000013 mov si, di 0x00000016 popad 0x00000017 cmp dword ptr [ebp-14h], edi 0x0000001a jmp 00007F0264E84AD3h 0x0000001f jne 00007F02D6032B70h 0x00000025 jmp 00007F0264E84AD6h 0x0000002a mov ebx, dword ptr [ebp+08h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov esi, edi 0x00000032 jmp 00007F0264E84AD9h 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7042F second address: 4A70436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7053C second address: 4A70540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70540 second address: 4A70546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70546 second address: 4A7054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A7054C second address: 4A70550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A607C7 second address: 4A607F4 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov dx, FFE0h 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 jmp 00007F0264E84ACFh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edi 0x0000001d pop ecx 0x0000001e mov di, CD72h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A607F4 second address: 4A60807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0264BBFB1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A709C3 second address: 4A709C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A709C7 second address: 4A709CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A709CB second address: 4A709D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A709D1 second address: 4A70A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0264BBFB1Dh 0x00000009 or ax, C936h 0x0000000e jmp 00007F0264BBFB21h 0x00000013 popfd 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esp 0x0000001b pushad 0x0000001c mov eax, 7E7BBB35h 0x00000021 mov ch, D5h 0x00000023 popad 0x00000024 mov dword ptr [esp], ebp 0x00000027 jmp 00007F0264BBFB1Dh 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 call 00007F0264BBFB23h 0x00000036 pop esi 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70A33 second address: 4A70A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70A39 second address: 4A70AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [75C7459Ch], 05h 0x00000012 jmp 00007F0264BBFB20h 0x00000017 je 00007F02D5D5DAB3h 0x0000001d jmp 00007F0264BBFB20h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0264BBFB1Dh 0x0000002c or cl, 00000066h 0x0000002f jmp 00007F0264BBFB21h 0x00000034 popfd 0x00000035 movzx ecx, dx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70AA3 second address: 4A70AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70AA9 second address: 4A70AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70AED second address: 4A70AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70AF3 second address: 4A70B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 7FA17C22h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0264BBFB27h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A70B19 second address: 4A70B4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 0A67E00Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0264E84ACDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80B37 second address: 4A80B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bl 0x00000005 mov ecx, 11DCB60Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+0Ch] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80B4B second address: 4A80BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, EE1Bh 0x00000007 mov ax, 50F7h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 jmp 00007F0264E84ACAh 0x00000015 je 00007F02D6012318h 0x0000001b jmp 00007F0264E84AD0h 0x00000020 cmp dword ptr [75C7459Ch], 05h 0x00000027 jmp 00007F0264E84AD0h 0x0000002c je 00007F02D602A3CBh 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F0264E84ACEh 0x00000039 and cl, 00000078h 0x0000003c jmp 00007F0264E84ACBh 0x00000041 popfd 0x00000042 jmp 00007F0264E84AD8h 0x00000047 popad 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80BD7 second address: 4A80BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80BDB second address: 4A80BE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80BE1 second address: 4A80C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 75h 0x00000005 mov dx, E652h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0264BBFB28h 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80C0D second address: 4A80C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80C13 second address: 4A80C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(4).exe	RDTSC instruction interceptor: First address: 4A80C6D second address: 4A80C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0264E84ACCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: 970540 second address: 96FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 pushad 0x00000007 add ebx, dword ptr [ebp+122D3B62h] 0x0000000d movsx eax, dx 0x00000010 popad 0x00000011 push dword ptr [ebp+122D02A1h] 0x00000017 mov dword ptr [ebp+122D3719h], esi 0x0000001d call dword ptr [ebp+122D3653h] 0x00000023 pushad 0x00000024 cld 0x00000025 xor eax, eax 0x00000027 clc 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c jmp 00007F0264BBFB1Bh 0x00000031 mov dword ptr [ebp+122D3A3Ah], eax 0x00000037 pushad 0x00000038 clc 0x00000039 jnl 00007F0264BBFB1Ch 0x0000003f popad 0x00000040 sub dword ptr [ebp+122D2622h], edi 0x00000046 mov esi, 0000003Ch 0x0000004b clc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 jp 00007F0264BBFB17h 0x00000056 lodsw 0x00000058 stc 0x00000059 add eax, dword ptr [esp+24h] 0x0000005d jmp 00007F0264BBFB22h 0x00000062 jnl 00007F0264BBFB21h 0x00000068 mov ebx, dword ptr [esp+24h] 0x0000006c jmp 00007F0264BBFB25h 0x00000071 push eax 0x00000072 push ecx 0x00000073 push eax 0x00000074 push edx 0x00000075 jl 00007F0264BBFB16h 0x0000007b rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2CDB second address: AE2CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2DFD second address: AE2E31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F0264BBFB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0264BBFB22h 0x00000013 jmp 00007F0264BBFB24h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2E31 second address: AE2E3B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0264E84AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2E3B second address: AE2E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2E41 second address: AE2E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0264E84AC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2F97 second address: AE2FE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0264BBFB1Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F0264BBFB25h 0x00000011 ja 00007F0264BBFB16h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F0264BBFB25h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE2FE3 second address: AE301E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0264E84AD3h 0x00000010 jmp 00007F0264E84AD3h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE3198 second address: AE319E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE319E second address: AE31AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE31AA second address: AE31AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE31AF second address: AE31B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE3475 second address: AE347B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE7081 second address: AE70CD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push edx 0x0000000b jnl 00007F0264E84AC6h 0x00000011 pop edx 0x00000012 jmp 00007F0264E84AD6h 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d jmp 00007F0264E84ACDh 0x00000022 pushad 0x00000023 jmp 00007F0264E84ACEh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE70CD second address: 96FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 mov edi, 6480DD05h 0x0000000c push dword ptr [ebp+122D02A1h] 0x00000012 jmp 00007F0264BBFB29h 0x00000017 mov ch, 7Fh 0x00000019 call dword ptr [ebp+122D3653h] 0x0000001f pushad 0x00000020 cld 0x00000021 xor eax, eax 0x00000023 clc 0x00000024 mov edx, dword ptr [esp+28h] 0x00000028 jmp 00007F0264BBFB1Bh 0x0000002d mov dword ptr [ebp+122D3A3Ah], eax 0x00000033 pushad 0x00000034 clc 0x00000035 jnl 00007F0264BBFB1Ch 0x0000003b popad 0x0000003c sub dword ptr [ebp+122D2622h], edi 0x00000042 mov esi, 0000003Ch 0x00000047 clc 0x00000048 add esi, dword ptr [esp+24h] 0x0000004c jp 00007F0264BBFB17h 0x00000052 lodsw 0x00000054 stc 0x00000055 add eax, dword ptr [esp+24h] 0x00000059 jmp 00007F0264BBFB22h 0x0000005e jnl 00007F0264BBFB21h 0x00000064 mov ebx, dword ptr [esp+24h] 0x00000068 jmp 00007F0264BBFB25h 0x0000006d push eax 0x0000006e push ecx 0x0000006f push eax 0x00000070 push edx 0x00000071 jl 00007F0264BBFB16h 0x00000077 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE7111 second address: AE717F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0264E84ACEh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 jmp 00007F0264E84AD3h 0x00000017 call 00007F0264E84AD6h 0x0000001c jmp 00007F0264E84AD1h 0x00000021 pop edi 0x00000022 push 17DDA7C9h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jnl 00007F0264E84AC6h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE7301 second address: AE738B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, 713Bh 0x0000000d push 00000000h 0x0000000f sub dword ptr [ebp+122D2B39h], esi 0x00000015 mov dword ptr [ebp+122D3594h], eax 0x0000001b push F779ACBDh 0x00000020 jmp 00007F0264BBFB1Eh 0x00000025 add dword ptr [esp], 088653C3h 0x0000002c mov ecx, dword ptr [ebp+122D3B56h] 0x00000032 push 00000003h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F0264BBFB18h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e jmp 00007F0264BBFB1Ah 0x00000053 push 00000000h 0x00000055 sbb di, AB49h 0x0000005a or dword ptr [ebp+122D2B39h], edi 0x00000060 push 00000003h 0x00000062 adc cl, FFFFFFCDh 0x00000065 mov dword ptr [ebp+122D2BD5h], ebx 0x0000006b push 93340CEFh 0x00000070 jnl 00007F0264BBFB1Eh 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE738B second address: AE73D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 xor dword ptr [esp], 53340CEFh 0x0000000c and edx, 0C84BB5Ch 0x00000012 lea ebx, dword ptr [ebp+1244AFA8h] 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F0264E84AC8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D3687h], ecx 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a pushad 0x0000003b jg 00007F0264E84AC6h 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE73D4 second address: AE7405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0264BBFB1Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F0264BBFB26h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE750A second address: AE750E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE750E second address: AE7525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0264BBFB1Ah 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE7525 second address: AE752E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AE752E second address: AE75D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jng 00007F0264BBFB24h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 jmp 00007F0264BBFB21h 0x0000001a push eax 0x0000001b jne 00007F0264BBFB16h 0x00000021 pop eax 0x00000022 popad 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 jmp 00007F0264BBFB28h 0x0000002c pop eax 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F0264BBFB18h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 or si, 6E1Ah 0x0000004c push 00000003h 0x0000004e mov si, di 0x00000051 push 00000000h 0x00000053 movsx ecx, dx 0x00000056 push 00000003h 0x00000058 mov esi, 1E1EA36Bh 0x0000005d push A57F7412h 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F0264BBFB21h 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B07D38 second address: B07D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0264E84ACEh 0x0000000b push edx 0x0000000c pop edx 0x0000000d jp 00007F0264E84AC6h 0x00000013 pushad 0x00000014 jmp 00007F0264E84AD3h 0x00000019 jmp 00007F0264E84ACCh 0x0000001e jg 00007F0264E84AC6h 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B07D77 second address: B07D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jnl 00007F0264BBFB16h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: ADAFC1 second address: ADAFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84ACCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: ADAFD1 second address: ADAFE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB1Bh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B05B72 second address: B05B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B061D1 second address: B061DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B061DB second address: B061E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0264E84AC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B061E7 second address: B061FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F0264BBFB18h 0x0000000d push eax 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B061FA second address: B0621D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0264E84AD3h 0x00000008 jns 00007F0264E84AD2h 0x0000000e jo 00007F0264E84AC6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B064E5 second address: B064F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F0264BBFB16h 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B064F8 second address: B06514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0264E84AD8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06514 second address: B06522 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0264BBFB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06522 second address: B06526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06526 second address: B0652A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06686 second address: B0668D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B067FF second address: B06803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06981 second address: B0698D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0264E84AC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B0698D second address: B069A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0264BBFB23h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06B38 second address: B06B72 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0264E84AC6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0264E84AD1h 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F0264E84AD7h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06B72 second address: B06B96 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0264BBFB16h 0x00000008 je 00007F0264BBFB16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F0264BBFB20h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B06E5D second address: B06E8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0264E84AD9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B074A3 second address: B074BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0264BBFB1Fh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B078D8 second address: B078DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B078DC second address: B078E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B0E2B4 second address: B0E2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B0D1D1 second address: B0D1D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B0E36A second address: B0E370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B0F5E0 second address: B0F5E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: ADCABE second address: ADCACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84ACBh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: ADCACE second address: ADCADB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0264BBFB18h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD78FF second address: AD7909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD7909 second address: AD7920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F0264BBFB16h 0x0000000d jmp 00007F0264BBFB1Ah 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD7920 second address: AD7945 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0264E84AC6h 0x00000008 jmp 00007F0264E84AD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F0264E84AD2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1243D second address: B12443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B12B2E second address: B12B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B12C7C second address: B12C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0264BBFB16h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B148F6 second address: B148FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B148FA second address: B148FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B148FE second address: B14904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B14CBC second address: B14CC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B15498 second address: B1549C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1549C second address: B154A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B16E78 second address: B16E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0264E84AD8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B16E94 second address: B16F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264BBFB27h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnc 00007F0264BBFB1Ah 0x00000013 jp 00007F0264BBFB1Eh 0x00000019 pushad 0x0000001a jno 00007F0264BBFB16h 0x00000020 jmp 00007F0264BBFB27h 0x00000025 push esi 0x00000026 pop esi 0x00000027 jmp 00007F0264BBFB25h 0x0000002c popad 0x0000002d pushad 0x0000002e push eax 0x0000002f pop eax 0x00000030 jl 00007F0264BBFB16h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD0ECD second address: AD0EEF instructions: 0x00000000 rdtsc 0x00000002 js 00007F0264E84AC8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0264E84AD4h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD0EEF second address: AD0EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B17F7F second address: B17F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84ACCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F0264E84ACCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B190A8 second address: B190B2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0264BBFB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B190B2 second address: B190B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B190B8 second address: B190BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B190BC second address: B19183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0264E84AD6h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F0264E84AC8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 adc esi, 1B2A57E1h 0x0000002f jmp 00007F0264E84AD4h 0x00000034 jns 00007F0264E84ACAh 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F0264E84AC8h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 call 00007F0264E84ACBh 0x0000005b je 00007F0264E84ACCh 0x00000061 sub dword ptr [ebp+124483C0h], edx 0x00000067 pop edi 0x00000068 push 00000000h 0x0000006a jmp 00007F0264E84ACBh 0x0000006f xchg eax, ebx 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F0264E84ACFh 0x00000079 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B19183 second address: B19187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B19187 second address: B1918D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1918D second address: B19193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1A6EF second address: B1A70F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0264E84AD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0264E84AC6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1C2D1 second address: B1C2D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1C2D6 second address: B1C2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD41F5 second address: AD41FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD41FB second address: AD41FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD41FF second address: AD4207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD4207 second address: AD4211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0264E84AC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD4211 second address: AD4215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD4215 second address: AD4225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnp 00007F0264E84AC6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD4225 second address: AD4234 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: AD4234 second address: AD4238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B19A43 second address: B19A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1D355 second address: B1D35B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1D35B second address: B1D35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1DDF6 second address: B1DDFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1DDFC second address: B1DE06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0264BBFB16h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B1DE06 second address: B1DE79 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0264E84AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F0264E84AC8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 or dword ptr [ebp+122D22AFh], ebx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F0264E84AC8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 add dword ptr [ebp+12448588h], edx 0x0000004f push 00000000h 0x00000051 mov esi, 712E9AF4h 0x00000056 push eax 0x00000057 jc 00007F0264E84AD0h 0x0000005d pushad 0x0000005e pushad 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B22CA1 second address: B22CA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B243AD second address: B243B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B25D99 second address: B25D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B293EB second address: B29476 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0264E84ACCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F0264E84AD6h 0x00000012 clc 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F0264E84AC8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F0264E84AC8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c jno 00007F0264E84AC6h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 jmp 00007F0264E84AD4h 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B29476 second address: B2947B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B28489 second address: B2848F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B2857C second address: B28582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B28582 second address: B28596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0264E84ACCh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B2A56F second address: B2A589 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0264BBFB1Ch 0x00000008 jc 00007F0264BBFB16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jl 00007F0264BBFB20h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B29658 second address: B29669 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0264E84AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	RDTSC instruction interceptor: First address: B29669 second address: B2966D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random(4).exe	Special instruction interceptor: First address: 718D07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(4).exe	Special instruction interceptor: First address: 718D96 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(4).exe	Special instruction interceptor: First address: 718D0D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(4).exe	Special instruction interceptor: First address: 8BD3F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(4).exe	Special instruction interceptor: First address: 8BBA84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Special instruction interceptor: First address: 96FCCF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Special instruction interceptor: First address: 96FDAC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Special instruction interceptor: First address: 96FCE8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Special instruction interceptor: First address: B38618 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Special instruction interceptor: First address: B206C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Special instruction interceptor: First address: B9C867 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Special instruction interceptor: First address: 29EBAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Special instruction interceptor: First address: 29EC54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Special instruction interceptor: First address: 43E958 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Special instruction interceptor: First address: 4678F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Special instruction interceptor: First address: 44568D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C6EBAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C6EC54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E0E958 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E378F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E1568D instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Special instruction interceptor: First address: E9EBAF instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Special instruction interceptor: First address: E9EC54 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Special instruction interceptor: First address: 103E958 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Special instruction interceptor: First address: 10678F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Special instruction interceptor: First address: 104568D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Special instruction interceptor: First address: 9C4C74 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Special instruction interceptor: First address: 81C71F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Special instruction interceptor: First address: A458BF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Special instruction interceptor: First address: CB9AAC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Special instruction interceptor: First address: CB9B72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Special instruction interceptor: First address: E60C9F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Special instruction interceptor: First address: EEDA9E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Special instruction interceptor: First address: E5F74E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Special instruction interceptor: First address: 1360BFC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Special instruction interceptor: First address: 15093F0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Special instruction interceptor: First address: E08D07 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Special instruction interceptor: First address: E08D96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Special instruction interceptor: First address: E08D0D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Special instruction interceptor: First address: FAD3F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Special instruction interceptor: First address: 61FCCF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Special instruction interceptor: First address: 61FDAC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Special instruction interceptor: First address: 61FCE8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Special instruction interceptor: First address: 7E8618 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Special instruction interceptor: First address: 7D06C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Special instruction interceptor: First address: 15998AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Special instruction interceptor: First address: 84C867 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Special instruction interceptor: First address: FABA84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Special instruction interceptor: First address: ACDBAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Special instruction interceptor: First address: ACDB4B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Special instruction interceptor: First address: C5D3E8 instructions caused by: Self-modifying code

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Memory allocated: 206192C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Memory allocated: 20631430000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Memory allocated: 266A4580000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Memory allocated: 266BC870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Memory allocated: 4B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Memory allocated: 6DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Memory allocated: 4D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Memory allocated: 4F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Memory allocated: 4D90000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

Code function: 5_2_04A80C87 rdtsc

5_2_04A80C87

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1069	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 978	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 798	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Window / User API: threadDelayed 3800
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Window / User API: threadDelayed 478
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 753
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 762
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 753
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 741
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 732
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 756
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 753
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Window / User API: threadDelayed 728
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Window / User API: threadDelayed 948
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1409

Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_pytransform.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\win32\win32api.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\win32\win32trace.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\win32\_win32sysloader.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin\win32ui.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\random(4).exe TID: 7124	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe TID: 5064	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7660	Thread sleep count: 1069 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7660	Thread sleep time: -2139069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7664	Thread sleep count: 1012 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7664	Thread sleep time: -2025012s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7536	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7536	Thread sleep time: -2970000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7644	Thread sleep count: 1015 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7644	Thread sleep time: -2031015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7656	Thread sleep count: 978 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7656	Thread sleep time: -1956978s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7640	Thread sleep count: 798 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7640	Thread sleep time: -1596798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe TID: 8068	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe TID: 7212	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe TID: 7092	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe TID: 7092	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 1620	Thread sleep count: 753 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 1620	Thread sleep time: -1506753s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 344	Thread sleep count: 762 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 344	Thread sleep time: -1524762s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 648	Thread sleep count: 753 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 648	Thread sleep time: -1506753s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 2200	Thread sleep count: 741 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 2200	Thread sleep time: -1482741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 8000	Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 2124	Thread sleep count: 732 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 2124	Thread sleep time: -1464732s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 4884	Thread sleep count: 756 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 4884	Thread sleep time: -1512756s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 2076	Thread sleep count: 753 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 2076	Thread sleep time: -1506753s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 4488	Thread sleep count: 728 > 30
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe TID: 4488	Thread sleep time: -1456728s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 2992	Thread sleep time: -148074s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 1360	Thread sleep time: -158079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 1148	Thread sleep time: -160080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 4432	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 5956	Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 5580	Thread sleep time: -178089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 1312	Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe TID: 3220	Thread sleep time: -176088s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe TID: 2148	Thread sleep count: 31 > 30
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe TID: 6656	Thread sleep count: 948 > 30
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe TID: 7616	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6748	Thread sleep count: 157 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6748	Thread sleep time: -314157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6812	Thread sleep count: 164 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6812	Thread sleep time: -328164s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6728	Thread sleep count: 150 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6728	Thread sleep time: -300150s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 2000	Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6752	Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6752	Thread sleep time: -322161s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 8072	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6760	Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6760	Thread sleep time: -322161s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6800	Thread sleep count: 160 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6800	Thread sleep time: -320160s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6788	Thread sleep count: 164 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6788	Thread sleep time: -328164s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6776	Thread sleep count: 160 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 6776	Thread sleep time: -320160s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe TID: 7804	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe TID: 7804	Thread sleep count: 156 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 1220	Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 7916	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 5068	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 7848	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 7848	Thread sleep time: -64032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 5800	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 3668	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 5808	Thread sleep time: -54027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe TID: 2324	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe TID: 3120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe TID: 280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe TID: 280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3988	Thread sleep count: 1409 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe TID: 6080	Thread sleep count: 81 > 30
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe TID: 5560	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\random(4).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe

Code function: 10_2_00820DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

10_2_00820DA9

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF2C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

4_2_6BF2C930

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior

Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2322323597.0000000000AEB000.00000040.00000001.01000000.00000006.sdmp, 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe, 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe, 00000005.00000002.2079424276.000000000041F000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 0000000E.00000002.2359725716.0000000000DEF000.00000040.00000001.01000000.0000000C.sdmp, FIJDGIJJKE.exe, 00000011.00000002.2379901363.000000000101F000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 943fedf78d.exe, 0000000D.00000003.4131972162.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /adc3nkKcii0UMqemf5IqB7fOBw3VtAnj19tg3BOG+3kYN9IaBgyNmTA38kNa1k+Wk+6H3oFwPqdCytDdc4LvTbwTVisnLPv/1UJX9r7TLrODD+faZuG/B2ar8NwTghu8HCPm3kTsbB2xF8MUXoJqV9cfIr9VpXqXdJskCKdm616N0+dqIxxsHFEXwhKLowujYooW+lAgjvaj6gA5Y4f7eRgX0htjHQwYRGNXZ26CSmcnv/OrlpZfQ5dKhdiDgnt8aTa1jkOci+jRE8MT66F7lkfvo8/UFQtTZ98m6Xb3nwiZ1zZ+Qp28+DVTUxPqpm8CMjpm2sSBWhenr/Fd02KeWJi3Mms2CPkdFBKXVt9DPsSE69PutGG/Z6Y/8Vtjght/adc3nkKcii0UMqemf5IqB7fOBw3U9MqD0s8Q2JODGkh5M3cOQp2NOYBHcmNqgr5W8w532mBRX4KCznDch2ZPbK3TBztneLl8AWGk8q0TKsemb6K+VmXKguZ75KzzYp+ImLCiGrYIuPj1AncGz9dOU2f+A+8EML9DtvvkeIOFa5ictzOeRSmpPNWiVycPE5p2c90iXpR1z4dCy5DdcqJ7fNwnM59CPT1JAGdCN5tC3rYDCpa7AXSfhiLIFzv19M3PjlA1qaT6ei4nsPXUHECppbVMcI3Wd8hgRatEiFbl3b6O0NUKNhnIbTEWoxcrps60Rz4CzrWku+eiL/Vc8gKdTbwT1qpXKeis5dNTxQ8TGhYETdHLNlWx
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe, 00000005.00000003.2062284194.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B529000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9ce3a8a3dc.exe, 0000000C.00000003.2400323329.0000000001593000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2441193868.0000000001594000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 9ce3a8a3dc.exe, 0000000C.00000002.2432974632.000000000155C000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000155C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968516826.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791619976.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845454341.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1802092337.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801922934.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 9ce3a8a3dc.exe, 0000000C.00000003.2400323329.0000000001593000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2441193868.0000000001594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware}_
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2322323597.0000000000AEB000.00000040.00000001.01000000.00000006.sdmp, 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe, 00000005.00000002.2079424276.000000000041F000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 0000000E.00000002.2359725716.0000000000DEF000.00000040.00000001.01000000.0000000C.sdmp, FIJDGIJJKE.exe, 00000011.00000002.2379901363.000000000101F000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\random(4).exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random(4).exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random(4).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

Code function: 5_2_04A801B1 Start: 04A801C4 End: 04A801C8

5_2_04A801B1

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random(4).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\FIJDGIJJKE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe

Code function: 5_2_04A80C87 rdtsc

5_2_04A80C87

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF4B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6BF4B1F7

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF773E0 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_6BF773E0

Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_0026652B mov eax, dword ptr fs:[00000030h]	5_2_0026652B
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Code function: 5_2_0026A302 mov eax, dword ptr fs:[00000030h]	5_2_0026A302
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_0083619E mov edi, dword ptr fs:[00000030h]	10_2_0083619E
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_00801690 mov edi, dword ptr fs:[00000030h]	10_2_00801690

Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe

Code function: 10_2_0081C705 GetProcessHeap,

10_2_0081C705

Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF4B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6BF4B1F7
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Code function: 4_2_6BF4B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6BF4B66C
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_0080E06C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0080E06C
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_008172FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_008172FD
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_0080E420 SetUnhandledExceptionFilter,	10_2_0080E420
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: 10_2_0080E42C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0080E42C

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm'
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm'

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe

Code function: 10_2_0083619E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

10_2_0083619E

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe

Memory written: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: 9ce3a8a3dc.exe, 0000000A.00000002.2201820635.00000000028AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJDGIJJKE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe "C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe "C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe "C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe "C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe "C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe "C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe "C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe "C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe "C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe "C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe "C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Process created: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe "C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\FIJDGIJJKE.exe "C:\Users\user\Documents\FIJDGIJJKE.exe"
Source: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Process created: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe "C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\LQJwYFm'

Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe	Binary or memory string: tProgram Manager
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2325888288.0000000000B36000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: ^Program Manager
Source: 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe, 00000005.00000002.2080255805.0000000000464000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 0000000E.00000002.2360101734.0000000000E34000.00000040.00000001.01000000.0000000C.sdmp, FIJDGIJJKE.exe, 00000011.00000002.2387213619.0000000001064000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: tProgram Manager

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF4B341 cpuid

4_2_6BF4B341

Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetLocaleInfoW,	10_2_008208CD
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00820062
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: EnumSystemLocalesW,	10_2_008202B3
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetLocaleInfoW,	10_2_0081BA4C
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0082034E
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: EnumSystemLocalesW,	10_2_008205A1
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: EnumSystemLocalesW,	10_2_008206D5
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetLocaleInfoW,	10_2_00820600
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_008207C7
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: EnumSystemLocalesW,	10_2_0081BFF0
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Code function: GetLocaleInfoW,	10_2_00820720

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\random(4).exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028440001\a098b3631cf208cac539d0c4da0de1eb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028440001\a098b3631cf208cac539d0c4da0de1eb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Hash VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Util VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info\licenses VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info\licenses VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\certifi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\charset_normalizer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\libcrypto-1_1.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\libssl-1_1.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\psutil VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\VCRUNTIME140.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\jaraco VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor\jaraco VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\Pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools\_vendor VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\setuptools VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Code function: 4_2_6BF135A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,

4_2_6BF135A0

Source: C:\Users\user\Desktop\random(4).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: 9ce3a8a3dc.exe, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ender\MsMpeng.exe
Source: random(4).exe, 00000000.00000003.1801861765.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801768237.0000000005399000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1802092337.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801922934.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\random(4).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 21.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FIJDGIJJKE.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3667795783.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2987197716.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2366087745.0000000000E31000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2078214906.0000000000231000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random(4).exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9ce3a8a3dc.exe PID: 8044, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3711440745.00000000003D1000.00000040.00000001.01000000.0000002C.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.4097470810.00000000003D1000.00000040.00000001.01000000.0000002C.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3714687550.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2313455015.0000000000721000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: random(4).exe, 00000000.00000003.1845169784.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC"Q
Source: random(4).exe, 00000000.00000003.1791619976.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.j
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC"Q
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random(4).exe, 00000000.00000003.1764078892.000000000539D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWe
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16nes\AppData\Roaming\Binance\simple-storage.jsonm
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random(4).exe, 00000000.00000003.1791761313.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random(4).exe, 00000000.00000003.1845169784.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]
Source: NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\random(4).exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\random(4).exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS

Source: Yara match	File source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.4119625833.000000000165D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3968382392.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3869502337.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.4156576126.000000000165D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3896221310.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2313455015.00000000007EC000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.4074538250.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random(4).exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9ce3a8a3dc.exe PID: 8044, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random(4).exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9ce3a8a3dc.exe PID: 8044, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 4.2.NU4SX64NXMV3YXYV8G3PIA0S0.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.334592f815.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3711440745.00000000003D1000.00000040.00000001.01000000.0000002C.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.4097470810.00000000003D1000.00000040.00000001.01000000.0000002C.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3714687550.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2313455015.0000000000721000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: NU4SX64NXMV3YXYV8G3PIA0S0.exe PID: 4144, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	511 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Scheduled Task/Job	2 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	4 Obfuscated Files or Information	Security Account Manager	258 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	212 Process Injection	22 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 PowerShell	Network Logon Script	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	981 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Bypass User Account Control	DCSync	461 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	461 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	212 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random(4).exe	58%	Virustotal		Browse
random(4).exe	47%	ReversingLabs	Win32.Trojan.Cerbu
random(4).exe	100%	Avira	TR/Crypt.TPM.Gen
random(4).exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	24%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	95%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	45%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	50%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	47%	ReversingLabs	Win32.Trojan.Cerbu
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[4].exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Znyonm
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	24%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe	95%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe	24%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1028929001\d76dd796e0.exe	50%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe	24%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe	45%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe	47%	ReversingLabs	Win32.Trojan.Cerbu
C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1028937001\ad8a3a5306.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Znyonm
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.001\AutoIt3_x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.001\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.001\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\_MEI58162\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs

Name	Malicious	Antivirus Detection	Reputation
slipperyloo.lat	true
pancakedipyps.click	true
curverpluch.lat	true
tentabatte.lat	true
manyrestro.lat	true
bashfulacid.lat	true
wordyfindy.lat	true
shapestickyr.lat	true
http://185.215.113.206/c4becf79229cb002.php	true
talkynicer.lat	true

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	true
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/	9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/api97	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845169784.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845653640.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/sqlite3.dll&	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/freebl3.dll	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/nss3.dll	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpfi	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/fe	9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/api	9ce3a8a3dc.exe, 9ce3a8a3dc.exe, 0000000C.00000003.2335294704.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2376579538.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2327552419.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400323329.0000000001593000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2452826288.0000000001601000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400489317.00000000015A6000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400121522.0000000001600000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2441193868.0000000001594000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2444078928.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320200715.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2376311717.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/jhBK	9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false
https://contile-images.services.mo	9ce3a8a3dc.exe, 0000000C.00000003.2267594754.000000000162E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2267594754.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp	false
http://www.mozilla.com/en-US/blocklist/	NU4SX64NXMV3YXYV8G3PIA0S0.exe, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347880042.000000006BF8D000.00000002.00000001.01000000.0000000F.sdmp	false
http://185.215.113.16/#	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/apiO	9ce3a8a3dc.exe, 0000000C.00000003.2327552419.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/b	random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/a	random(4).exe, 00000000.00000003.1763145473.000000000539B000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763212305.000000000539D000.00000004.00000800.00020000.00000000.sdmp	false
https://fancywaxxers.shop/c	random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.rootca1.amazontrust.com/rootca1.crl0	random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	false
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2267594754.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.rootca1.amazontrust.com0:	random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	random(4).exe, 00000000.00000003.1763262995.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1762994374.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763106978.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751972120.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1752021463.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2131344489.00000000053ED000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235257275.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2234911700.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221476307.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235067086.0000000003C27000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl	random(4).exe, 00000000.00000003.1802124250.000000000539B000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801768237.0000000005399000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1787935893.0000000005397000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1788085717.0000000005398000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791965316.0000000005399000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.php2	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/S	random(4).exe, 00000000.00000003.1801861765.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	false
https://fieldhitty.click/api	943fedf78d.exe, 0000000D.00000003.4125929580.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4131889031.0000000001206000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4125929580.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/api9	9ce3a8a3dc.exe, 0000000C.00000002.2452826288.0000000001601000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400121522.0000000001600000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.micro	random(4).exe, 00000000.00000003.1845169784.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791619976.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1802092337.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801922934.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/K	random(4).exe, 00000000.00000003.1968516826.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845454341.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/api	random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845653640.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801783233.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845372507.000000000539E000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1787935893.000000000539E000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968353025.000000000539D000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845454341.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1801861765.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
https://support.microsof	random(4).exe, 00000000.00000003.1751972120.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221476307.0000000003C75000.00000004.00000800.00020000.00000000.sdmp	false
https://pancakedipyps.click/api&	9ce3a8a3dc.exe, 0000000C.00000002.2452826288.0000000001601000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400121522.0000000001600000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpI	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	random(4).exe, 00000000.00000003.1752021463.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	false
https://pancakedipyps.click/pi	9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206z	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16:80/mine/random.exe5117-2476756634-1002	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2228560257.000000000B762000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpY	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/0	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpb	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B529000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/pi#oLKU	9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/#	random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/mine/random.exe	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpp	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B529000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	random(4).exe, 00000000.00000003.1763262995.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1762994374.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763106978.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751972120.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1752021463.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2131344489.00000000053ED000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235257275.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2234911700.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221476307.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2235067086.0000000003C27000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/F	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/steam/random.exeu	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968225491.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206ones	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	false
http://x1.c.lencr.org/0	random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	false
http://x1.i.lencr.org/0	random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	random(4).exe, 00000000.00000003.1752021463.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221672138.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/mozglue.dll	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	false
http://sourceforge.net/projects/s-zipsfxbuilder/)	55c1ca23f1.exe, 00000012.00000003.2311940788.0000000002403000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	false
https://support.mozilla.org/products/firefoxgro.all	9ce3a8a3dc.exe, 0000000C.00000003.2255922169.0000000003CF4000.00000004.00000800.00020000.00000000.sdmp	false
https://fancywaxxers.shop:443/api	random(4).exe, 00000000.00000003.1845169784.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845653640.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791761313.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791557022.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1810775955.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	false
http://www.sqlite.org/copyright.html.	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2339386118.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2347623795.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false
https://fieldhitty.click/	943fedf78d.exe, 0000000D.00000003.4125929580.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4131889031.0000000001206000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/bm	9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256532484.000000000162F000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
https://fieldhitty.click/apid	943fedf78d.exe, 0000000D.00000003.4125929580.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, 943fedf78d.exe, 0000000D.00000003.4131889031.0000000001206000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/msvcp140.dll	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/steam/random.exe	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968225491.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/softokn3.dllK	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/buiXoGK9	9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/apiuo	9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2447560681.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	false
https://pancakedipyps.click/bu	9ce3a8a3dc.exe, 0000000C.00000003.2398825314.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	false
https://ac.ecosia.org/autocomplete?q=	random(4).exe, 00000000.00000003.1751351396.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751295730.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1751424290.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000003.2140091027.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221121277.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2221017409.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/	random(4).exe, 00000000.00000003.1968225491.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1968557997.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	random(4).exe, 00000000.00000003.1776580455.000000000539D000.00000004.00000800.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2343245349.000000000B522000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2256390472.000000000162E000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.rootca1.amazontrust.com/rootca1.cer0?	random(4).exe, 00000000.00000003.1774866430.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2254721106.0000000003C0A000.00000004.00000800.00020000.00000000.sdmp	false
https://pancakedipyps.click/laiKoJ	9ce3a8a3dc.exe, 0000000C.00000003.2400004370.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000002.2445933284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2379447041.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2335777288.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2398825314.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2286847849.000000000158D000.00000004.00000020.00020000.00000000.sdmp, 9ce3a8a3dc.exe, 0000000C.00000003.2320718181.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	true
https://fancywaxxers.shop/api1	random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpion:	NU4SX64NXMV3YXYV8G3PIA0S0.exe, 00000004.00000002.2313455015.00000000007D5000.00000040.00000001.01000000.00000006.sdmp	false
https://fancywaxxers.shop/	random(4).exe, 00000000.00000003.1968762153.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1750674299.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1774346163.0000000005391000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1845570152.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763047280.0000000005396000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1763089582.000000000539A000.00000004.00000800.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1750659620.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1791619976.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, random(4).exe, 00000000.00000003.1787935893.0000000005391000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.186.35	unknown	United States	15169	GOOGLEUS	false
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.217.18.14	unknown	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	unknown	United States	15169	GOOGLEUS	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
176.53.146.223	unknown	United Kingdom	35791	VANNINVENTURESGB	false
185.156.73.23	unknown	Russian Federation	48817	RELDAS-NETRU	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.186.164	unknown	United States	15169	GOOGLEUS	false
142.250.186.110	unknown	United States	15169	GOOGLEUS	false
172.67.129.178	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false
142.250.186.74	unknown	United States	15169	GOOGLEUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
34.197.122.172	unknown	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583232
Start date and time:	2025-01-02 09:14:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random(4).exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@99/227@0/22
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target 9ce3a8a3dc.exe, PID 8044 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
03:15:05	API Interceptor	16x Sleep call for process: random(4).exe modified
03:15:40	API Interceptor	27589x Sleep call for process: skotes.exe modified
03:15:53	API Interceptor	8x Sleep call for process: 9ce3a8a3dc.exe modified
03:15:59	API Interceptor	15x Sleep call for process: NU4SX64NXMV3YXYV8G3PIA0S0.exe modified
03:16:09	API Interceptor	4919x Sleep call for process: AutoIt3_x64.exe modified
03:17:57	API Interceptor	5999x Sleep call for process: d76dd796e0.exe modified
03:18:09	API Interceptor	608x Sleep call for process: e13ae12563.exe modified
03:18:21	API Interceptor	1395x Sleep call for process: 6319f0cc28.exe modified
03:18:33	API Interceptor	53x Sleep call for process: powershell.exe modified
03:19:02	API Interceptor	2x Sleep call for process: 943fedf78d.exe modified
08:15:37	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
08:18:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 6319f0cc28.exe C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe
08:18:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 334592f815.exe C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe
08:18:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a48f6ed5ed.exe C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe
08:18:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 8a0ebcc2e0.exe C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe
08:18:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 6319f0cc28.exe C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe
08:19:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 334592f815.exe C:\Users\user\AppData\Local\Temp\1028934001\334592f815.exe
08:19:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a48f6ed5ed.exe C:\Users\user\AppData\Local\Temp\1028935001\a48f6ed5ed.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	inv#12180.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	172.67.157.254
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.208.240
	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	104.21.79.229
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	7FEGBYFBHFBJH32.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3

Process:	C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\1028936001\8a0ebcc2e0.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2013088
Entropy (8bit):	6.068687396136205
Encrypted:	false
SSDEEP:	24576:4U77L3RZgH96z4S/zCtTFL/LcfQnolkbe7yFH3HtDg8VG:4U77L3RZo6/EFPQQny77I3N3VG
MD5:	19861D67B2811D6EB3BE1951B28703AE
SHA1:	FCE3CDCFC4067AF2451D638E99BB1EDE113C29B8
SHA-256:	7B8526752F7A9580FC6EE88C35C8DF39EF69BA1AB4241BBA1FAD1FB44C80A7A5
SHA-512:	D13EAC3F7E498217973DC153645FBEFDE3D281B8BE0B4EEC8B1C757948581A5BFA6E4EDF67A73B25AA2AC59895E20A8E94C4573BCAB92244A149405927230890
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..d....}.O..........#............................@.............................0......Bt.......................................................S...........V.............. 3...........................................................................................text...0........................... ..`.rdata...Z.......\..................@..@.data....0...p.......R..............@....pdata...............^..............@..@.rsrc....V.......X...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
File Type:	data
Category:	dropped
Size (bytes):	58901
Entropy (8bit):	5.068099202040639
Encrypted:	false
SSDEEP:	1536:gOFibjoRjdvRFbflJd1IhtAHkC+z30KUKSfYqawCWrx1/+CwKUpSevOBNefUinHj:libjoRjdvRFbflJd1IhtAHkC+z30KUKf
MD5:	45CCD7AA40B42130C83A89A0682B8E0E
SHA1:	96EE9D78B7DEFCB54FA4465368B4E47BFC005129
SHA-256:	CD29D01A29AAC4D1B11D71FE893BFDFA43818B0AD34B1B831DB50A0115356D71
SHA-512:	A8EFA4967A3982E51596B4D2252B9C4343AB91FDB5C214891A996DE8A57532BACBCCE1C1738E1D09CDE7BFCDC2D3129689A22467C6D02B0710C1BD8EB8348E17
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.W....B.H.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Unregister-IscsiSession........Get-IscsiConnection........Update-IscsiTarget........Get-IscsiSession........Update-IscsiTargetPortal........Set-IscsiChapSecret........New-IscsiTargetPortal........Remove-IscsiTargetPortal........Disconnect-IscsiTarget........Get-IscsiTarget........Get-IscsiTargetPortal........Connect-IscsiTarget........Register-IscsiSession..........rq.z..[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1........Invoke-AsWorkflow..........^4.z..K...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1........Remove-VpnConnectionRoute....&...Remove-VpnConnectionTriggerApplication....+...Remove-VpnConnectionTriggerDnsConfiguration....#...Add-VpnConnectionTriggerApplication........Add-VpnConnection....(...Add-VpnConnectionTriggerDnsConfiguration........Set-VpnConnection........Remove-VpnConnection....&..

Process:	C:\Users\user\Desktop\random(4).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3229696
Entropy (8bit):	6.694527762643923
Encrypted:	false
SSDEEP:	49152:crGsKUNW0CaotgIHBZ84N1zJpfNK9tuUPe/ertjfw:crGsH80CjtpHBZZpfN6tuUWItTw
MD5:	F70FD98886425270B5017B04C74B31B8
SHA1:	4986A38E280964CA0D7182C915937DE01C3A4929
SHA-256:	2DC46C49E36B784224D8BECA0430CAF53E821640D359C855B35025C0CFA22AB9
SHA-512:	5DD23707162709C4CB27416E1111EB60FE40DCA24DD34DFF64F54FADAD943B66A06255AF37D09AA037F910FF06369C3763EC6FC0940FC3803303E47D9B8947B6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................P1...........@...........................1.......2...@.................................W...k............................51..............................51..................................................... . ............................@....rsrc...............................@....idata ............................@...xqzoqyib..........................@...ryeovcsc.....@1......"1.............@....taggant.0...P1.."...&1.............@...........................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Process:	C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3229696
Entropy (8bit):	6.694527762643923
Encrypted:	false
SSDEEP:	49152:crGsKUNW0CaotgIHBZ84N1zJpfNK9tuUPe/ertjfw:crGsH80CjtpHBZZpfN6tuUWItTw
MD5:	F70FD98886425270B5017B04C74B31B8
SHA1:	4986A38E280964CA0D7182C915937DE01C3A4929
SHA-256:	2DC46C49E36B784224D8BECA0430CAF53E821640D359C855B35025C0CFA22AB9
SHA-512:	5DD23707162709C4CB27416E1111EB60FE40DCA24DD34DFF64F54FADAD943B66A06255AF37D09AA037F910FF06369C3763EC6FC0940FC3803303E47D9B8947B6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................P1...........@...........................1.......2...@.................................W...k............................51..............................51..................................................... . ............................@....rsrc...............................@....idata ............................@...xqzoqyib..........................@...ryeovcsc.....@1......"1.............@....taggant.0...P1.."...&1.............@...........................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (6686)
Category:	downloaded
Size (bytes):	6691
Entropy (8bit):	5.7844921856385225
Encrypted:	false
SSDEEP:	192:1HDSt1M8Q2eS3qFd66666f3SCELVjgD4xQn+IaktR97:1HGAtS3Q66666Bej6l+IaktRF
MD5:	1620692E1BC10701594E1854AB7DDCE7
SHA1:	8B517190E6D6EDE9720BFD5C3C94D544018104F7
SHA-256:	CD0ECFEF4A0AEF6B5D6301F96BA4275FF421F2839FBAC300A3260E2EF5382923
SHA-512:	71F10B8705E68BCA584A613854D3E32E7CA7D68C22B7EAE756AC67E3A5225FC58BF4F43B5AAD68DD9DE7D2BB5C20B3051645E28ADBC176197685A3226E1C5632
Malicious:	false
Reputation:	unknown
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["lincoln wheat penny value","green bay packers","aurora borealis northern lights forecast","new year eve traditions","nyt crossword clues","gta 6 rockstar games","irs crypto cost basis","rose parade 2025"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"google:entityinfo":"CggvbS8wM2IzahINRm9vdGJhbGwgdGVhbTKyDGRhdGE6aW1hZ2UvcG5nO2Jhc2U2NCxpVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBRUFBQUFBcUNBTUFBQUEwMkszUUFBQUF5VkJNVkVYLy8vOGdOekVBSWhrQUtDQUhLU0lBTERJQUp6TUFMeklGS1NFQUtqSVFMU1lkTlM4QUpSM0p6TXNiTlRFYU15My9zZ0FSTWpMUDB0RUFHeEMwdUxmLzdjMy8ySXovOU9IL3ZBQUFIaFRiM2R6L3R3QUFGUVpvYzNELzVyai8zWjMvMEhQaG53REdqZ0NYY3hlQ2lvaWZwYU9ObEpJc1FEdi8rT3gzWWlUdTcrOWJaMlFBRHdDOWlRQ3FmUWZ0cFFEVm1BRC80S3Yvd0NlTWJCYUFaaHFnZUEzLzA0QTRRU3dvT2k1Q1Jpei95MlJSVFN3N1RFZGtXQ2oveDA1b1dDRktXRlFBQmdEL3hUNlA4NVRyQUFBRGgwbEVRVlJJaVpWVzIyS2lNQkFsSUVFU3JvSUtGUXNxZU1GRlFNVmF0YTNiLy8rb0hiVXFvR2ozd

Entrypoint:	0x702000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67701720 [Sat Dec 28 15:20:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x52000	b646b712b4bca5218b78904f3ebd50b1	False	0.5857499285442073	data	7.09048271708439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x2b0	0x400	fe67bb2a9df3150b9c94de8bd81ed8a0	False	0.3603515625	data	5.186832724894366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jimlxaop	0x55000	0x2ac000	0x2ab800	8f218805920576c097f8a566502dc809	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lzmmbpyt	0x301000	0x1000	0x600	71cde9d7c887c8329d5d74db855c6c93	False	0.5631510416666666	data	4.905707342335007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x302000	0x3000	0x2200	f2cd213de1abca86d19adc643bd0e67a	False	0.06387867647058823	DOS executable (COM)	0.7451263255728477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Target ID:	0
Start time:	03:15:02
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\random(4).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random(4).exe"
Imagebase:	0x6c0000
File size:	3'151'360 bytes
MD5 hash:	C77592F28D3267B7C5E0529B6741548A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	03:15:28
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\NU4SX64NXMV3YXYV8G3PIA0S0.exe"
Imagebase:	0x720000
File size:	5'175'296 bytes
MD5 hash:	14FC1658DE54A19670851A44AFC48ABC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000004.00000002.2327588011.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000004.00000002.2313455015.0000000000721000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2313455015.00000000007EC000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	03:15:34
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe"
Imagebase:	0x230000
File size:	3'229'696 bytes
MD5 hash:	F70FD98886425270B5017B04C74B31B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.2078214906.0000000000231000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	03:15:35
Start date:	02/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	03:15:37
Start date:	02/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2192,i,12920997312320207026,11927117372627731275,262144 /prefetch:8
Imagebase:	0x760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	03:15:38
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xc00000
File size:	3'229'696 bytes
MD5 hash:	F70FD98886425270B5017B04C74B31B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	03:15:51
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"
Imagebase:	0x800000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	03:15:52
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1028925001\9ce3a8a3dc.exe"
Imagebase:	0x800000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	03:15:56
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1028926001\943fedf78d.exe"
Imagebase:	0xa20000
File size:	2'668'544 bytes
MD5 hash:	87330F1877C33A5A6203C49075223B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 48%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	14
Start time:	03:16:00
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xc00000
File size:	3'229'696 bytes
MD5 hash:	F70FD98886425270B5017B04C74B31B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000002.2358601653.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random(4).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BKFBAECB

C:\ProgramData\CAKKJKKECFIDGDHIJEGD

C:\ProgramData\CBAEHCAE

C:\ProgramData\FCFHJKJJJECGDHJJDHDA

C:\ProgramData\FHIDAKFIJJKJJJKEBKJEHCBGDA

C:\ProgramData\KECFCGHIDHCAKEBFCFHC

C:\ProgramData\KKECFIEBGCAKJKECGCFIIECGDB

Windows Analysis Report
random(4).exe

Target ID:	18
Start time:	03:16:03
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1028927001\55c1ca23f1.exe"
Imagebase:	0x140000000
File size:	2'013'088 bytes
MD5 hash:	19861D67B2811D6EB3BE1951B28703AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 24%, ReversingLabs
Has exited:	false

Target ID:	21
Start time:	03:17:00
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xc00000
File size:	3'229'696 bytes
MD5 hash:	F70FD98886425270B5017B04C74B31B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000002.2987197716.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Target ID:	22
Start time:	03:17:17
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"
Imagebase:	0x7ff6cc5f0000
File size:	94'133'369 bytes
MD5 hash:	A098B3631CF208CAC539D0C4DA0DE1EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Target ID:	23
Start time:	03:17:23
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1028928001\982cf429c9.exe"
Imagebase:	0x7ff6cc5f0000
File size:	94'133'369 bytes
MD5 hash:	A098B3631CF208CAC539D0C4DA0DE1EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	25
Start time:	03:17:32
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1028930001\e13ae12563.exe"
Imagebase:	0x5b0000
File size:	4'487'680 bytes
MD5 hash:	C2968F40E6C44036E1D3E18BCA61C67D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	true

Target ID:	28
Start time:	03:17:39
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1028931001\75b25e676e.exe"
Imagebase:	0x140000000
File size:	2'013'088 bytes
MD5 hash:	19861D67B2811D6EB3BE1951B28703AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 24%, ReversingLabs
Has exited:	false

Target ID:	29
Start time:	03:17:46
Start date:	02/01/2025
Path:	C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Imagebase:	0x7ff7f4380000
File size:	1'071'704 bytes
MD5 hash:	8FA52F316C393496F272357191DB6DEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	30
Start time:	03:17:47
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1028932001\13f4808de9.exe"
Imagebase:	0xc10000
File size:	4'484'096 bytes
MD5 hash:	F200A3445A8034D201EEB79BB29E1D73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 45%, ReversingLabs
Has exited:	true

Target ID:	31
Start time:	03:17:55
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1028933001\6319f0cc28.exe"
Imagebase:	0xdb0000
File size:	3'151'360 bytes
MD5 hash:	C77592F28D3267B7C5E0529B6741548A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.3968382392.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.3869502337.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.3896221310.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.4074538250.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	false

Target ID:	32
Start time:	03:18:00
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xc00000
File size:	3'229'696 bytes
MD5 hash:	F70FD98886425270B5017B04C74B31B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000020.00000002.3667795783.0000000000C01000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true