Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1585286
MD5:	f54491fdb13ecab8b06510f1c8431032
SHA1:	2e42f6e1a1a559a6ea6dbb974f68d3f598e568fc
SHA256:	40adba8fc61052a26baeb280f4645287ce1390e81ba42ff57b746f71b1c9f623
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected Stealc

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

Monitors registry run keys for changes

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F54491FDB13ECAB8B06510F1C8431032)

skotes.exe (PID: 5796 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: F54491FDB13ECAB8B06510F1C8431032)

skotes.exe (PID: 5932 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: F54491FDB13ECAB8B06510F1C8431032)

skotes.exe (PID: 2288 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: F54491FDB13ECAB8B06510F1C8431032)

c061393b55.exe (PID: 3916 cmdline: "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe" MD5: CB538563778A18D571E87AD75705668E)

c061393b55.exe (PID: 4772 cmdline: "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe" MD5: CB538563778A18D571E87AD75705668E)

WerFault.exe (PID: 7872 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1704 -ip 1704 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dxdiag.exe (PID: 1988 cmdline: dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt MD5: 19AB5AD061BF013EBD012D0682DF37E5)

taskkill.exe (PID: 4576 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 2632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 4776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2012 --field-trial-handle=2008,i,17564928535210738890,5689791328347770168,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

taskkill.exe (PID: 7872 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 5924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1976 --field-trial-handle=1956,i,11737153874150669047,12636588976470451220,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

db0740f8e4.exe (PID: 1704 cmdline: "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe" MD5: 6446A00EB59754E15749AF229B0D5217)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

db0740f8e4.exe (PID: 5816 cmdline: "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe" MD5: 6446A00EB59754E15749AF229B0D5217)

WerFault.exe (PID: 7944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

e0ac53ba53.exe (PID: 6660 cmdline: "C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe" MD5: 37E85A34D4EC7C387A79E20CE262F2CF)

cf4bd6029c.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe" MD5: 612B785A52C7C281DD891D4835E0E4CE)

05c06146f2.exe (PID: 800 cmdline: "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe" MD5: 8E7317BD5F12DA95C46CA94572B2C331)

chrome.exe (PID: 3476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

msedge.exe (PID: 4036 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)

959ae18948.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe" MD5: A5F4B776FBC130947C7EA91252E30747)

taskkill.exe (PID: 5356 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2348 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6972 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6724 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4536 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

taskkill.exe (PID: 2636 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

caf9f1bef3.exe (PID: 5264 cmdline: "C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe" MD5: CB31FF98156630BF835768E1C1B47EE1)

b3206cdf20.exe (PID: 6616 cmdline: "C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe" MD5: B87ABAE5DCF781D2DD96D6C8FBBDE6FF)

8c9c7a39f7.exe (PID: 1624 cmdline: "C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe" MD5: 1C0FDE14F7A46816A2E8A747A90E1584)

mstee.sys (PID: 4 cmdline: MD5: 244C73253E165582DDC43AF4467D23DF)

mskssrv.sys (PID: 4 cmdline: MD5: 26854C1F5500455757BC00365CEF9483)

cf4bd6029c.exe (PID: 6348 cmdline: "C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe" MD5: 612B785A52C7C281DD891D4835E0E4CE)

firefox.exe (PID: 7200 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7252 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2340 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f00215ad-1a9f-4dfa-990d-aaf96e354c4f} 7252 "\\.\pipe\gecko-crash-server-pipe.7252" 1a1d166eb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

05c06146f2.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe" MD5: 8E7317BD5F12DA95C46CA94572B2C331)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: LummaC

{"C2 url": ["framekgirus.shop", "abruptyopsn.shop", "pancakedipyps.click", "wholersorie.shop", "tirepublicerj.shop", "noisycuttej.shop", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "FATE99--test"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2299582589.0000000001464000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.2429756005.0000000004D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000003.2243727892.0000000004A90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000003.2312742082.000000000141B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1486452961.0000000000651000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1479494441.0000000000651000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: e0ac53ba53.exe PID: 6660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: e0ac53ba53.exe PID: 6660	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cf4bd6029c.exe PID: 5516	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cf4bd6029c.exe PID: 5516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.skotes.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.file.exe.5d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 2288, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf4bd6029c.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe, ParentProcessId: 800, ParentProcessName: 05c06146f2.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 3476, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 2288, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf4bd6029c.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\mstee.sys, NewProcessName: C:\Windows\System32\drivers\mstee.sys, OriginalFileName: C:\Windows\System32\drivers\mstee.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: mstee.sys

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://sputnik-1985.com/apidP.a	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apisYE	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/=k	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com:443/apibe	Avira URL Cloud: Label: malware
Source: https://steamcommunity.co	Avira URL Cloud: Label: phishing
Source: https://sputnik-1985.com/apiu(	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com:443/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apiG	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/D	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apiS	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/l	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["framekgirus.shop", "abruptyopsn.shop", "pancakedipyps.click", "wholersorie.shop", "tirepublicerj.shop", "noisycuttej.shop", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "FATE99--test"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[3].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[3].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[3].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[4].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[5].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1033702001\31f59e2a09.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\1033707001\a0d135de95.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\ITH3569MCVRCZNYE5XQ77V.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 58%			Perma Link
Source: file.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 185.215.113.43
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: S-%lu-
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abc3bc1985
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: skotes.exe
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Startup
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Programs
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clip.dll
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: http://
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: https://
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /quiet
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Plugins/
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: &unit=
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shell32.dll
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProgramData\
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: AVAST Software
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Panda Security
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Doctor Web
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Bitdefender
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Norton
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Sophos
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Comodo
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: WinDefender
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 0123456789
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ------
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ?scr=1
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ComputerName
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -unicode-
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: VideoID
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProductName
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: && Exit"
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && ren
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: random
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: cloudewahsj.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: rabidcowse.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: noisycuttej.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: tirepublicerj.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: framekgirus.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: wholersorie.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: abruptyopsn.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: nearycrepso.shop
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: pancakedipyps.click
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 13.2.db0740f8e4.exe.400000.0.raw.unpack	String decryptor: FATE99--test

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 13_2_00415D89 CryptUnprotectData,

13_2_00415D89

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=e0ac53ba53.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=e0ac53ba53.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=e0ac53ba53.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: c061393b55.exe, 00000009.00000003.1987194818.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Handler.pdbxa source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, db0740f8e4.exe, 0000000B.00000000.2021154039.00000000005F2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: BasicDisplay.pdb source: dxdiag.exe, 00000013.00000003.2071866630.000002B0A0551000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Handler.pdb source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, db0740f8e4.exe, 0000000B.00000000.2021154039.00000000005F2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: c061393b55.exe, 00000009.00000003.1987037746.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: c061393b55.exe, 00000009.00000003.1987037746.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: c061393b55.exe, 00000009.00000003.1987194818.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BasicDisplay.pdbUGP source: dxdiag.exe, 00000013.00000003.2071866630.000002B0A0551000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	13_2_00441816
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov eax, esi	13_2_0043D0D0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	13_2_0043D0D0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	13_2_0040C080
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, word ptr [eax]	13_2_004442E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov word ptr [edx], cx	13_2_00418BA2
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	13_2_00444C20
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, edx	13_2_00430F03
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [edi], cl	13_2_0042F716
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	13_2_00417054
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	13_2_0041B021
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_0041B021
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	13_2_004438E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	13_2_004438F9
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	13_2_004438FB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	13_2_00422880
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebx, bx	13_2_00427885
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	13_2_0041F170
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	13_2_004421E9
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	13_2_004421E9
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebx, byte ptr [esi]	13_2_0041618C
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	13_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov esi, ecx	13_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	13_2_00402210
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_0043A230
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00431AF5
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	13_2_0040B280
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	13_2_00440A90
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	13_2_00441B50
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [edi], bl	13_2_00409360
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00422370
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [edi], cl	13_2_0042FB7D
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	13_2_00408320
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	13_2_00419B30
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	13_2_0041F3E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [esi], al	13_2_0041B3F2
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, eax	13_2_0041AB90
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then jmp ecx	13_2_00428C62
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, eax	13_2_00427C10
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	13_2_00414C30
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, eax	13_2_00418492
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	13_2_0043CD40
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0042C5E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov byte ptr [esi], al	13_2_0041B58F
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	13_2_004195B6
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	13_2_004195B6
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov edi, edx	13_2_0043E6E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx eax, word ptr [edx]	13_2_0043E6E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, edx	13_2_00430F4E
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, edx	13_2_00430F54
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov word ptr [ebx], ax	13_2_0041A770
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	13_2_00407730
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	13_2_00407730
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	13_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	13_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	13_2_004437D0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	13_2_0042A7F0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov edx, ecx	13_2_0042A7F0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov ecx, eax	13_2_00427FFD
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov edx, ecx	13_2_0042AF92
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_0042AF92
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 4x nop then mov edx, ecx	13_2_0042AFB0

Source: chrome.exe	Memory has grown: Private usage: 1MB later: 17MB
Source: firefox.exe	Memory has grown: Private usage: 1MB later: 48MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: pancakedipyps.click
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	IPs: 185.215.113.43

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 104.26.9.59 104.26.9.59

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_005DE0C0 recv,recv,recv,recv,

1_2_005DE0C0

Source: e0ac53ba53.exe, e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/9yH
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exexp
Source: e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe;_cd_
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeEMM
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeG
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exek
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exestat
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/qy
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/sc
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: e0ac53ba53.exe, 00000015.00000003.2398710636.00000000058F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exe9(
Source: c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.dig
Source: c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digX
Source: c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiX
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: c061393b55.exe, 0000000A.00000003.2016296141.00000200D38FA000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017404603.00000200D392B000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015079597.00000200D38FD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016878815.00000200D3907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: c061393b55.exe, 0000000A.00000003.2014574686.00000200D3CBC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015713624.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015589940.00000200D3CFB000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016222955.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2014574686.00000200D3CFB000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016659534.00000200D3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: c061393b55.exe, 0000000A.00000003.2016384535.00000200D3CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: c061393b55.exe, 0000000A.00000003.2016384535.00000200D3CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: c061393b55.exe, 0000000A.00000003.2012943211.00000200D381B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2196857322.0000000001470000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2196857322.0000000001470000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2196857322.0000000001470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: c061393b55.exe, 00000009.00000003.2002233300.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: c061393b55.exe, 00000009.00000003.2002233300.0000020D0AFD2000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002367730.0000020D0AFD2000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002233300.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: c061393b55.exe, 0000000A.00000003.2012943211.00000200D381B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1999665526.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1998279885.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2003819372.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1995564840.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989144362.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987912445.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988062517.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1992018588.0000020D0AFCC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: c061393b55.exe, 0000000A.00000003.2018241146.00000200D3D46000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017650493.00000200D3D58000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017986400.00000200D3D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assign
Source: c061393b55.exe, 0000000A.00000003.2018241146.00000200D3D95000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017932668.00000200D3D8A000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017986400.00000200D3D48000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017650493.00000200D3D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fa
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fas
Source: e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastl
Source: e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastl9
Source: e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly
Source: e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.
Source: e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.s
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.stea
Source: cf4bd6029c.exe, 00000016.00000003.2300941183.0000000001461000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2328481395.0000000001461000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamst
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/p
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/sticke
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/moda
Source: cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalConte
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=eng
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrE
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css
Source: cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.#U
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=en
Source: cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: c061393b55.exe, 0000000A.00000003.2013216168.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015713624.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2012943211.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015079597.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2014154422.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016222955.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011995088.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016659534.00000200D3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/astral-sh/ruff
Source: c061393b55.exe, 00000009.00000003.2005103211.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.2001827694.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel/issues
Source: c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: c061393b55.exe, 0000000A.00000003.2013381002.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017270583.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015929025.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2012943211.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015459372.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011705665.00000200D3C7B000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2013548335.00000200D3881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: c061393b55.exe, 0000000A.00000003.2016384535.00000200D3CAD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016968942.00000200D3C05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: db0740f8e4.exe, 0000000D.00000002.2182568912.0000000001484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: db0740f8e4.exe, 0000000D.00000002.2182568912.0000000001484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/&v
Source: db0740f8e4.exe, 0000000D.00000002.2182568912.0000000001484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: db0740f8e4.exe, 0000000D.00000002.2182568912.0000000001484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api_
Source: db0740f8e4.exe, 0000000D.00000002.2182568912.0000000001484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/pi
Source: c061393b55.exe, 0000000A.00000003.2006568345.00000200D19EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools/
Source: e0ac53ba53.exe, 00000015.00000003.2122754416.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rabidcowse.shop/
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: c061393b55.exe, 0000000A.00000003.2011159095.00000200D395F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011310369.00000200D38E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: c061393b55.exe, 0000000A.00000003.2011995088.00000200D38DB000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011230346.00000200D3908000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011159095.00000200D395F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015079597.00000200D38DB000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011995088.00000200D390F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016912360.00000200D38DD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2013381002.00000200D38DB000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016296141.00000200D38DD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2012943211.00000200D390F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2012943211.00000200D38DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: c061393b55.exe, 0000000A.00000003.2011159095.00000200D395F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011159095.00000200D3920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;
Source: c061393b55.exe, 0000000A.00000003.2011159095.00000200D395F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011159095.00000200D3920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;r
Source: e0ac53ba53.exe, 00000015.00000003.2192715354.000000000593A000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2176182863.0000000005934000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2180876129.000000000593C000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2178530480.000000000593A000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2370059128.000000000146A000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2326932620.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: cf4bd6029c.exe, 00000016.00000003.2326932620.0000000001469000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2300615762.000000000146F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/%k4
Source: cf4bd6029c.exe, 00000016.00000003.2300615762.000000000146F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/=k
Source: cf4bd6029c.exe, 00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/D
Source: cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: cf4bd6029c.exe, 00000016.00000003.2386196260.0000000001480000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2370059128.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api&v
Source: e0ac53ba53.exe, 00000015.00000003.2180807299.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api1/i
Source: cf4bd6029c.exe, 00000016.00000003.2482960425.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apiG
Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apiS
Source: e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apidP.a
Source: cf4bd6029c.exe, 00000016.00000003.2261072491.0000000005B31000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2265081690.0000000005B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apisYE
Source: cf4bd6029c.exe, 00000016.00000003.2482960425.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apitt
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2240142291.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2253717755.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apiu(
Source: cf4bd6029c.exe, 00000016.00000003.2326932620.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/l
Source: cf4bd6029c.exe, 00000016.00000003.2326932620.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/s
Source: cf4bd6029c.exe, 00000016.00000003.2385366413.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/w
Source: e0ac53ba53.exe, e0ac53ba53.exe, 00000015.00000003.2176064084.000000000592E000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2176304559.000000000592E000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2176446364.000000000592E000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2252886391.0000000005931000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386196260.0000000001480000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2259495619.0000000005BB2000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2370059128.0000000001480000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.0000000001407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/api
Source: cf4bd6029c.exe, 00000016.00000003.2299582589.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/apibe
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/apive-Browser
Source: cf4bd6029c.exe, 00000016.00000003.2300941183.0000000001461000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.co
Source: cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfi
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2196857322.0000000001470000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: e0ac53ba53.exe, 00000015.00000003.2122754416.00000000011D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: e0ac53ba53.exe, 00000015.00000003.2122754416.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2240142291.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2211777661.000000000125D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2253717755.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steamp
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2196857322.0000000001470000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: c061393b55.exe, 0000000A.00000003.2016801906.00000200D3D4F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2018241146.00000200D3D46000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017650493.00000200D3D58000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2018067959.00000200D3D6C000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016801906.00000200D3D5F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017986400.00000200D3D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: c061393b55.exe, 0000000A.00000003.2014574686.00000200D3CBC000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017270583.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015929025.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015589940.00000200D3CFB000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2014574686.00000200D3CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: c061393b55.exe, 0000000A.00000003.2016384535.00000200D3CAD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016968942.00000200D3C05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: firefox.exe, 0000002C.00000002.2386552647.000001E18E35A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 13_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_00437A60

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 13_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_00437A60

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 13_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

13_2_00437C10

Source: C:\Windows\System32\dxdiag.exe

Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll

System Summary

.NET source code contains very large array initializations

Source: 31f59e2a09.exe.5.dr, -----------------------------------------.cs

Large array initialization: _200E_202D_200B_206E_206D_202E_202C_200C_200F_202D_200C_202B_202D_202B_206B_200E_206D_206C_202A_200C_202C_200E_200E_200B_206C_202A_206C_206B_206D_202E_206C_202D_202D_202E_206A_200E_206A_200E_202C_206F_202E: array initializer size 438272

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: .idata
Source: cf4bd6029c.exe.5.dr	Static PE information: section name:
Source: cf4bd6029c.exe.5.dr	Static PE information: section name: .idata
Source: random[2].exe.5.dr	Static PE information: section name:
Source: random[2].exe.5.dr	Static PE information: section name: .idata
Source: random[2].exe.5.dr	Static PE information: section name:
Source: 05c06146f2.exe.5.dr	Static PE information: section name:
Source: 05c06146f2.exe.5.dr	Static PE information: section name: .idata
Source: 05c06146f2.exe.5.dr	Static PE information: section name:
Source: random[2].exe1.5.dr	Static PE information: section name:
Source: random[2].exe1.5.dr	Static PE information: section name: .idata
Source: caf9f1bef3.exe.5.dr	Static PE information: section name:
Source: caf9f1bef3.exe.5.dr	Static PE information: section name: .idata
Source: random[2].exe2.5.dr	Static PE information: section name:
Source: random[2].exe2.5.dr	Static PE information: section name: .idata
Source: random[2].exe2.5.dr	Static PE information: section name:
Source: b3206cdf20.exe.5.dr	Static PE information: section name:
Source: b3206cdf20.exe.5.dr	Static PE information: section name: .idata
Source: b3206cdf20.exe.5.dr	Static PE information: section name:
Source: random[3].exe1.5.dr	Static PE information: section name:
Source: random[3].exe1.5.dr	Static PE information: section name: .idata
Source: random[3].exe1.5.dr	Static PE information: section name:
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name:
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name: .idata
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00618860	1_2_00618860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00617049	1_2_00617049
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_006178BB	1_2_006178BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_006131A8	1_2_006131A8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_005D4B30	1_2_005D4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00612D10	1_2_00612D10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_005D4DE0	1_2_005D4DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00607F36	1_2_00607F36
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0061779B	1_2_0061779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00698860	2_2_00698860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00697049	2_2_00697049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_006978BB	2_2_006978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_006931A8	2_2_006931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00654B30	2_2_00654B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00692D10	2_2_00692D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00654DE0	2_2_00654DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00687F36	2_2_00687F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0069779B	2_2_0069779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00698860	3_2_00698860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00697049	3_2_00697049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_006978BB	3_2_006978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_006931A8	3_2_006931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00654B30	3_2_00654B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00692D10	3_2_00692D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00654DE0	3_2_00654DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00687F36	3_2_00687F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0069779B	3_2_0069779B
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043D0D0	13_2_0043D0D0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0040E16E	13_2_0040E16E
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0040D172	13_2_0040D172
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00408A60	13_2_00408A60
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004442E0	13_2_004442E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004352B0	13_2_004352B0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00421B30	13_2_00421B30
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00418BA2	13_2_00418BA2
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00444C20	13_2_00444C20
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004324EE	13_2_004324EE
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043CE90	13_2_0043CE90
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00428750	13_2_00428750
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00425713	13_2_00425713
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042F716	13_2_0042F716
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00437850	13_2_00437850
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041906A	13_2_0041906A
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00426010	13_2_00426010
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004438E0	13_2_004438E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004180F0	13_2_004180F0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004438F9	13_2_004438F9
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004438FB	13_2_004438FB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00427885	13_2_00427885
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041D8B0	13_2_0041D8B0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00406950	13_2_00406950
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00444950	13_2_00444950
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043210B	13_2_0043210B
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00403910	13_2_00403910
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00429917	13_2_00429917
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00406120	13_2_00406120
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0040B92C	13_2_0040B92C
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042F1C1	13_2_0042F1C1
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004239EB	13_2_004239EB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00421180	13_2_00421180
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041618C	13_2_0041618C
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043099F	13_2_0043099F
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041F9A0	13_2_0041F9A0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041D1B0	13_2_0041D1B0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042E9B0	13_2_0042E9B0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041BA52	13_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043025E	13_2_0043025E
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042621B	13_2_0042621B
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042BA20	13_2_0042BA20
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00417222	13_2_00417222
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00443A30	13_2_00443A30
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004042C0	13_2_004042C0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00443AC0	13_2_00443AC0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004302CD	13_2_004302CD
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0040F2D0	13_2_0040F2D0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0040B280	13_2_0040B280
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00402B40	13_2_00402B40
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00443B60	13_2_00443B60
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00409B70	13_2_00409B70
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00422370	13_2_00422370
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00429B7B	13_2_00429B7B
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042FB7D	13_2_0042FB7D
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00405B00	13_2_00405B00
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00440B00	13_2_00440B00
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00428B10	13_2_00428B10
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00419B30	13_2_00419B30
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00411BDE	13_2_00411BDE
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004123EC	13_2_004123EC
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00428C62	13_2_00428C62
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043C460	13_2_0043C460
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043B410	13_2_0043B410
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00441C26	13_2_00441C26
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004064C0	13_2_004064C0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042F4E1	13_2_0042F4E1
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041D4A0	13_2_0041D4A0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00408D10	13_2_00408D10
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043E520	13_2_0043E520
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00442DCA	13_2_00442DCA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00415DD8	13_2_00415DD8
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00425DA0	13_2_00425DA0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004085B0	13_2_004085B0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00409660	13_2_00409660
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00404E20	13_2_00404E20
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043C6C0	13_2_0043C6C0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043E6E0	13_2_0043E6E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004186E5	13_2_004186E5
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00444680	13_2_00444680
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0041DE90	13_2_0041DE90
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0043DF60	13_2_0043DF60
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00429F7C	13_2_00429F7C
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00433707	13_2_00433707
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00402F10	13_2_00402F10
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00407730	13_2_00407730
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00427FC0	13_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004437D0	13_2_004437D0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00433FDF	13_2_00433FDF
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004127E0	13_2_004127E0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042A7F0	13_2_0042A7F0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_00434FF0	13_2_00434FF0
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0042AF92	13_2_0042AF92

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005E80C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0066DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 006680C0 appears 260 times
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: String function: 00408280 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: String function: 00414C20 appears 145 times

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1704 -ip 1704

Source: unknown

Driver loaded: C:\Windows\System32\drivers\mstee.sys

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[2].exe.5.dr	Static PE information: Section: scpusmou ZLIB complexity 0.9944594096109006
Source: 05c06146f2.exe.5.dr	Static PE information: Section: scpusmou ZLIB complexity 0.9944594096109006
Source: random[2].exe2.5.dr	Static PE information: Section: ltmerovd ZLIB complexity 0.9905096780028944
Source: b3206cdf20.exe.5.dr	Static PE information: Section: ltmerovd ZLIB complexity 0.9905096780028944
Source: random[3].exe0.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0003340475731894
Source: 24a1c81f44.exe.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0003340475731894
Source: random[3].exe1.5.dr	Static PE information: Section: xpqdeyne ZLIB complexity 0.9943291037669301
Source: 01c00b6fe2.exe.5.dr	Static PE information: Section: xpqdeyne ZLIB complexity 0.9943291037669301
Source: random[1].exe1.5.dr	Static PE information: Section: .BSS ZLIB complexity 1.0003366411102483
Source: random[3].exe2.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0005296610169492
Source: a85084d20f.exe.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0005296610169492
Source: random[5].exe.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0003366411102483
Source: 4e6501ac3b.exe.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0003366411102483

Source: 05c06146f2.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: cf4bd6029c.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: random[3].exe0.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe0.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 24a1c81f44.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 24a1c81f44.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe2.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe2.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: a85084d20f.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: a85084d20f.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[5].exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[5].exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4e6501ac3b.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4e6501ac3b.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@119/177@0/16

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 13_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

13_2_0043D0D0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1704
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2632:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e0ac53ba53.exe, 00000015.00000003.2138764965.00000000058BE000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2137878311.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2244101523.0000000005BD2000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214864510.0000000005B58000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2240820646.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2218578516.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	Virustotal: Detection: 58%
Source: file.exe	ReversingLabs: Detection: 57%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1704 -ip 1704
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 908
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe "C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe "C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe "C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe"
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe "C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe"
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe "C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe"
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2012 --field-trial-handle=2008,i,17564928535210738890,5689791328347770168,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe "C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe"
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f00215ad-1a9f-4dfa-990d-aaf96e354c4f} 7252 "\\.\pipe\gecko-crash-server-pipe.7252" 1a1d166eb10 socket
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1976 --field-trial-handle=1956,i,11737153874150669047,12636588976470451220,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe "C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe"
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe "C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe "C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe "C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe "C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe "C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe "C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1704 -ip 1704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2012 --field-trial-handle=2008,i,17564928535210738890,5689791328347770168,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f00215ad-1a9f-4dfa-990d-aaf96e354c4f} 7252 "\\.\pipe\gecko-crash-server-pipe.7252" 1a1d166eb10 socket
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1976 --field-trial-handle=1956,i,11737153874150669047,12636588976470451220,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: pywintypes313.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dxdiagn.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d12.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: winmmbase.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dsound.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: spinf.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: spfileq.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wifidisplay.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mf.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mfcore.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: ksuser.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mfsensorgroup.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: comppkgsup.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: windows.media.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dispuserer.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d12core.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dxilconv.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3dscache.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: mscat32.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: ddraw.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dciman32.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: avrt.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: audioses.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: msacm32.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: midimap.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dinput8.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: hid.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: devenum.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: msdmo.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: quartz.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 3266048 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: file.exe

Static PE information: Raw size of sihywpwu is bigger than: 0x100000 < 0x2b1a00

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: c061393b55.exe, 00000009.00000003.1987194818.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: c061393b55.exe, 00000009.00000003.2002034297.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Handler.pdbxa source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, db0740f8e4.exe, 0000000B.00000000.2021154039.00000000005F2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: BasicDisplay.pdb source: dxdiag.exe, 00000013.00000003.2071866630.000002B0A0551000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: c061393b55.exe, 00000009.00000003.1988223511.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: c061393b55.exe, 00000009.00000003.1987333299.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: c061393b55.exe, 00000009.00000003.1988867285.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Handler.pdb source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, db0740f8e4.exe, 0000000B.00000000.2021154039.00000000005F2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: c061393b55.exe, 00000009.00000003.1988362704.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: c061393b55.exe, 00000009.00000003.1988758273.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: c061393b55.exe, 00000009.00000003.1987499038.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: c061393b55.exe, 00000009.00000003.1987037746.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: c061393b55.exe, 00000009.00000003.1989574571.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: c061393b55.exe, 00000009.00000003.1987037746.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: c061393b55.exe, 00000009.00000003.1988994617.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: c061393b55.exe, 00000009.00000003.1988657125.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: c061393b55.exe, 00000009.00000003.1987194818.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BasicDisplay.pdbUGP source: dxdiag.exe, 00000013.00000003.2071866630.000002B0A0551000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.5d0000.0.unpack :EW;.rsrc:W;.idata :W;sihywpwu:EW;snftdmjr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;sihywpwu:EW;snftdmjr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.650000.0.unpack :EW;.rsrc:W;.idata :W;sihywpwu:EW;snftdmjr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;sihywpwu:EW;snftdmjr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.650000.0.unpack :EW;.rsrc:W;.idata :W;sihywpwu:EW;snftdmjr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;sihywpwu:EW;snftdmjr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Unpacked PE file: 29.2.cf4bd6029c.exe.a40000.0.unpack :EW;.rsrc:W;.idata :W;ikmnjisi:EW;nmpoliea:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ikmnjisi:EW;nmpoliea:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Unpacked PE file: 40.2.caf9f1bef3.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W;dqmrytmu:EW;pxqnvvkn:EW;.taggant:EW; vs :ER;.rsrc:W;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[3].exe0.5.dr, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 24a1c81f44.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: random[3].exe2.5.dr, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: a85084d20f.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: random[5].exe.5.dr, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4e6501ac3b.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: random[3].exe0.5.dr

Static PE information: 0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe1.5.dr	Static PE information: real checksum: 0x0 should be: 0x5fe22
Source: 54d18f4f90.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x750ae
Source: random[4].exe1.5.dr	Static PE information: real checksum: 0x0 should be: 0x750ae
Source: random[4].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x8969b
Source: 8c9c7a39f7.exe.5.dr	Static PE information: real checksum: 0xb4cee should be: 0x1bb421
Source: 05c06146f2.exe.5.dr	Static PE information: real checksum: 0x1ce1ad should be: 0x1cca5e
Source: random[2].exe1.5.dr	Static PE information: real checksum: 0x2a84a7 should be: 0x2ae5ef
Source: cf4bd6029c.exe.5.dr	Static PE information: real checksum: 0x305c54 should be: 0x2fb89a
Source: random[2].exe.5.dr	Static PE information: real checksum: 0x1ce1ad should be: 0x1cca5e
Source: caf9f1bef3.exe.5.dr	Static PE information: real checksum: 0x2a84a7 should be: 0x2ae5ef
Source: random[1].exe.5.dr	Static PE information: real checksum: 0x305c54 should be: 0x2fb89a
Source: ba5ccf6bd8.exe.5.dr	Static PE information: real checksum: 0xfb337 should be: 0x1074fb
Source: random[3].exe1.5.dr	Static PE information: real checksum: 0x44dc0e should be: 0x44e79f
Source: 31f59e2a09.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x8969b
Source: random[4].exe0.5.dr	Static PE information: real checksum: 0xfb337 should be: 0x1074fb
Source: 01c00b6fe2.exe.5.dr	Static PE information: real checksum: 0x44dc0e should be: 0x44e79f
Source: file.exe	Static PE information: real checksum: 0x31fa27 should be: 0x320240
Source: skotes.exe.1.dr	Static PE information: real checksum: 0x31fa27 should be: 0x320240
Source: random[2].exe2.5.dr	Static PE information: real checksum: 0x1e9b4a should be: 0x1e796b
Source: b3206cdf20.exe.5.dr	Static PE information: real checksum: 0x1e9b4a should be: 0x1e796b
Source: random[3].exe.5.dr	Static PE information: real checksum: 0xb4cee should be: 0x1bb421

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: sihywpwu
Source: file.exe	Static PE information: section name: snftdmjr
Source: file.exe	Static PE information: section name: .taggant
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name: sihywpwu
Source: skotes.exe.1.dr	Static PE information: section name: snftdmjr
Source: skotes.exe.1.dr	Static PE information: section name: .taggant
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe.5.dr	Static PE information: section name: ikmnjisi
Source: random[1].exe.5.dr	Static PE information: section name: nmpoliea
Source: random[1].exe.5.dr	Static PE information: section name: .taggant
Source: cf4bd6029c.exe.5.dr	Static PE information: section name:
Source: cf4bd6029c.exe.5.dr	Static PE information: section name: .idata
Source: cf4bd6029c.exe.5.dr	Static PE information: section name: ikmnjisi
Source: cf4bd6029c.exe.5.dr	Static PE information: section name: nmpoliea
Source: cf4bd6029c.exe.5.dr	Static PE information: section name: .taggant
Source: random[2].exe.5.dr	Static PE information: section name:
Source: random[2].exe.5.dr	Static PE information: section name: .idata
Source: random[2].exe.5.dr	Static PE information: section name:
Source: random[2].exe.5.dr	Static PE information: section name: scpusmou
Source: random[2].exe.5.dr	Static PE information: section name: wkvcxnam
Source: random[2].exe.5.dr	Static PE information: section name: .taggant
Source: 05c06146f2.exe.5.dr	Static PE information: section name:
Source: 05c06146f2.exe.5.dr	Static PE information: section name: .idata
Source: 05c06146f2.exe.5.dr	Static PE information: section name:
Source: 05c06146f2.exe.5.dr	Static PE information: section name: scpusmou
Source: 05c06146f2.exe.5.dr	Static PE information: section name: wkvcxnam
Source: 05c06146f2.exe.5.dr	Static PE information: section name: .taggant
Source: random[2].exe1.5.dr	Static PE information: section name:
Source: random[2].exe1.5.dr	Static PE information: section name: .idata
Source: random[2].exe1.5.dr	Static PE information: section name: dqmrytmu
Source: random[2].exe1.5.dr	Static PE information: section name: pxqnvvkn
Source: random[2].exe1.5.dr	Static PE information: section name: .taggant
Source: caf9f1bef3.exe.5.dr	Static PE information: section name:
Source: caf9f1bef3.exe.5.dr	Static PE information: section name: .idata
Source: caf9f1bef3.exe.5.dr	Static PE information: section name: dqmrytmu
Source: caf9f1bef3.exe.5.dr	Static PE information: section name: pxqnvvkn
Source: caf9f1bef3.exe.5.dr	Static PE information: section name: .taggant
Source: random[2].exe2.5.dr	Static PE information: section name:
Source: random[2].exe2.5.dr	Static PE information: section name: .idata
Source: random[2].exe2.5.dr	Static PE information: section name:
Source: random[2].exe2.5.dr	Static PE information: section name: ltmerovd
Source: random[2].exe2.5.dr	Static PE information: section name: uydrgwnj
Source: random[2].exe2.5.dr	Static PE information: section name: .taggant
Source: b3206cdf20.exe.5.dr	Static PE information: section name:
Source: b3206cdf20.exe.5.dr	Static PE information: section name: .idata
Source: b3206cdf20.exe.5.dr	Static PE information: section name:
Source: b3206cdf20.exe.5.dr	Static PE information: section name: ltmerovd
Source: b3206cdf20.exe.5.dr	Static PE information: section name: uydrgwnj
Source: b3206cdf20.exe.5.dr	Static PE information: section name: .taggant
Source: random[3].exe1.5.dr	Static PE information: section name:
Source: random[3].exe1.5.dr	Static PE information: section name: .idata
Source: random[3].exe1.5.dr	Static PE information: section name:
Source: random[3].exe1.5.dr	Static PE information: section name: xpqdeyne
Source: random[3].exe1.5.dr	Static PE information: section name: nykjqzsf
Source: random[3].exe1.5.dr	Static PE information: section name: .taggant
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name:
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name: .idata
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name:
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name: xpqdeyne
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name: nykjqzsf
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_005ED91C push ecx; ret	1_2_005ED92F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_005E1359 push es; ret	1_2_005E135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0066D91C push ecx; ret	2_2_0066D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0065BA83 push ss; retf	2_2_0065BA85
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0066D91C push ecx; ret	3_2_0066D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0065BA83 push ss; retf	3_2_0065BA85
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_004499A1 push esp; ret	13_2_004499A2
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 13_2_0044AAD0 push ecx; retn 0041h	13_2_0044AAD5
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Code function: 21_3_058B3311 push ecx; retf	21_3_058B3312

Source: file.exe	Static PE information: section name: entropy: 7.019860685017432
Source: skotes.exe.1.dr	Static PE information: section name: entropy: 7.019860685017432
Source: random[1].exe.5.dr	Static PE information: section name: entropy: 7.06503557923827
Source: cf4bd6029c.exe.5.dr	Static PE information: section name: entropy: 7.06503557923827
Source: random[2].exe.5.dr	Static PE information: section name: scpusmou entropy: 7.953902861205792
Source: 05c06146f2.exe.5.dr	Static PE information: section name: scpusmou entropy: 7.953902861205792
Source: random[2].exe1.5.dr	Static PE information: section name: entropy: 7.7510645866137935
Source: caf9f1bef3.exe.5.dr	Static PE information: section name: entropy: 7.7510645866137935
Source: random[2].exe2.5.dr	Static PE information: section name: ltmerovd entropy: 7.9498479799331765
Source: b3206cdf20.exe.5.dr	Static PE information: section name: ltmerovd entropy: 7.9498479799331765
Source: random[3].exe1.5.dr	Static PE information: section name: xpqdeyne entropy: 7.955523872525168
Source: 01c00b6fe2.exe.5.dr	Static PE information: section name: xpqdeyne entropy: 7.955523872525168
Source: random[4].exe.5.dr	Static PE information: section name: .text entropy: 7.010866345977857
Source: 31f59e2a09.exe.5.dr	Static PE information: section name: .text entropy: 7.010866345977857

Source: random[3].exe0.5.dr, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: 24a1c81f44.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: random[3].exe2.5.dr, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: a85084d20f.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: random[5].exe.5.dr, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: 4e6501ac3b.exe.5.dr, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe

Process created: "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033702001\31f59e2a09.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033707001\a0d135de95.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File created: C:\Users\user\AppData\Local\Temp\F92YSIFAGW8CC4SRE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32\pywintypes313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033701001\01c00b6fe2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033703001\ba5ccf6bd8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File created: C:\Users\user\AppData\Local\Temp\ITH3569MCVRCZNYE5XQ77V.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run caf9f1bef3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cf4bd6029c.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05c06146f2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 959ae18948.exe	Jump to behavior

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window searched: window name: Regmonclass

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cf4bd6029c.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cf4bd6029c.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05c06146f2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05c06146f2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 959ae18948.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 959ae18948.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run caf9f1bef3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run caf9f1bef3.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_1-12229
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_2-9659

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} WHERE ResultClass = Win32_DiskDrive
Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\System32\dxdiag.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F346 second address: 63F34C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ABA8E second address: 7ABABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB2h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FF63516ECAEh 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ABABC second address: 7ABAC7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BCEE1 second address: 7BCEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF63516ECA6h 0x0000000a pop eax 0x0000000b jmp 00007FF63516ECABh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BCEFB second address: 7BCF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF634B8A936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD313 second address: 7BD317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ABAB2 second address: 7ABABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD754 second address: 7BD758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD758 second address: 7BD75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFE0A second address: 7BFE0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFE0E second address: 7BFE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C022A second address: 7C0230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DE963 second address: 7DE96D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF634B8A936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DE96D second address: 7DE973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DE973 second address: 7DE986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FF634B8A950h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEC36 second address: 7DEC43 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF0FD second address: 7DF10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF634B8A93Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF10B second address: 7DF110 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF292 second address: 7DF29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF54A second address: 7DF54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF7FE second address: 7DF802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0C62 second address: 7B0C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jne 00007FF63516ECB2h 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e jbe 00007FF63516ECA6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push edi 0x00000018 jg 00007FF63516ECA6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DFFD5 second address: 7DFFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DFFDB second address: 7DFFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0250 second address: 7E0258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0258 second address: 7E025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6A1C second address: 7A6A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF634B8A93Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6A2A second address: 7A6A44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6A44 second address: 7A6A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6A52 second address: 7A6A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6A56 second address: 7A6A72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A948h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E69A0 second address: 7E69B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF63516ECABh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E69B2 second address: 7E69B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC160 second address: 7EC164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC164 second address: 7EC16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC16C second address: 7EC171 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC431 second address: 7EC44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FF634B8A944h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC44E second address: 7EC46C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC8E4 second address: 7EC8F4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF634B8A942h 0x00000008 jnl 00007FF634B8A936h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EC8F4 second address: 7EC8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEEED second address: 7EEF0A instructions: 0x00000000 rdtsc 0x00000002 js 00007FF634B8A936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FF634B8A938h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FF634B8A936h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEF0A second address: 7EEF15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEFE3 second address: 7EEFE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEFE8 second address: 7EEFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF0B9 second address: 7EF0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF0BD second address: 7EF0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF0C3 second address: 7EF0C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF1A4 second address: 7EF1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FF63516ECB7h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF601 second address: 7EF630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF634B8A942h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FF634B8A940h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF630 second address: 7EF634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF6AA second address: 7EF6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF6AE second address: 7EF6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF776 second address: 7EF77A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF77A second address: 7EF791 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FF63516ECAAh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF791 second address: 7EF795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EF944 second address: 7EF95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECB6h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EFA6E second address: 7EFA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F2928 second address: 7F292C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F292C second address: 7F298A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FF634B8A93Ch 0x0000000c jng 00007FF634B8A936h 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 jng 00007FF634B8A93Ch 0x0000001c add esi, dword ptr [ebp+122D3AE1h] 0x00000022 push 00000000h 0x00000024 or di, A062h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c mov dword ptr [ebp+122D2653h], eax 0x00000032 pop edi 0x00000033 xchg eax, ebx 0x00000034 push edx 0x00000035 jmp 00007FF634B8A93Fh 0x0000003a pop edx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FF634B8A946h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3459 second address: 7F34C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007FF63516ECAAh 0x0000000c nop 0x0000000d jmp 00007FF63516ECB4h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FF63516ECA8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FF63516ECA8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a xor edi, dword ptr [ebp+122D3941h] 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3245 second address: 7F3256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A93Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F34C9 second address: 7F34CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F34CD second address: 7F34D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F4A99 second address: 7F4AA6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF63516ECA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F7159 second address: 7F715E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F715E second address: 7F7164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5D47 second address: 7F5D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A943h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F51F6 second address: 7F51FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F7164 second address: 7F716A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F51FA second address: 7F51FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A858C second address: 7A8592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FABB1 second address: 7FABB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FABB5 second address: 7FABD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF634B8A93Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FDCD1 second address: 7FDCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEC3B second address: 7FEC45 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF634B8A936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FDCDC second address: 7FDCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 803B45 second address: 803B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804C41 second address: 804C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804C45 second address: 804C4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 802C01 second address: 802C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804EA4 second address: 804EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 802C05 second address: 802C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804EA8 second address: 804EAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 802C0B second address: 802C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805E66 second address: 805E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804EAE second address: 804EBC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806A97 second address: 806AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804EBC second address: 804EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B277D second address: 7B278C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF634B8A93Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8105AE second address: 8105B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8105B4 second address: 8105CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FF634B8A93Ch 0x0000000b ja 00007FF634B8A936h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8105CD second address: 8105DD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF63516ECB2h 0x00000008 je 00007FF63516ECA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81072A second address: 81073A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnl 00007FF634B8A936h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810872 second address: 810878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810878 second address: 810882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810882 second address: 810899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810899 second address: 8108B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FF634B8A93Eh 0x0000000e popad 0x0000000f pushad 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8108B9 second address: 8108CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECB2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 815F06 second address: 815F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FF634B8A938h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 815F29 second address: 815F2E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 815F2E second address: 815F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 815F3D second address: 815F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FF63516ECA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81601D second address: 816047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jnc 00007FF634B8A943h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jbe 00007FF634B8A940h 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BC1D second address: 81BC25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BC25 second address: 81BC35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF634B8A936h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BC35 second address: 81BC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BC3B second address: 81BC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AD66F second address: 7AD675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B526 second address: 81B52E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B52E second address: 81B533 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B6B5 second address: 81B6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B6BA second address: 81B6BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B94C second address: 81B965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF634B8A936h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 821297 second address: 82129D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82129D second address: 8212B1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF634B8A936h 0x00000008 jg 00007FF634B8A936h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8212B1 second address: 8212B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8212B7 second address: 8212BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8212BB second address: 8212BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7964 second address: 7B7968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7968 second address: 7B7989 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF63516ECA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jc 00007FF63516ECA6h 0x00000015 jne 00007FF63516ECA6h 0x0000001b popad 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7989 second address: 7B7990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820316 second address: 82031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82031A second address: 820320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820320 second address: 82032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82072B second address: 82072F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82072F second address: 820739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820739 second address: 820743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF634B8A936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820743 second address: 820765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FF63516ECB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820765 second address: 820772 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FDAD second address: 81FDC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF63516ECB0h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820CC4 second address: 820CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF634B8A936h 0x0000000a jns 00007FF634B8A936h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FF634B8A936h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820CDD second address: 820CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824737 second address: 82473D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82473D second address: 82476A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FF63516ECC5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82476A second address: 8247A2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF634B8A94Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF634B8A946h 0x0000000f jno 00007FF634B8A93Ch 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jne 00007FF634B8A964h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED7F2 second address: 7ED7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED945 second address: 7ED994 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e jmp 00007FF634B8A93Ch 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007FF634B8A942h 0x0000001d push esi 0x0000001e pop esi 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF634B8A93Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDA58 second address: 7EDA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDC18 second address: 7EDC1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDC1E second address: 7EDC22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDC22 second address: 7EDC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FF634B8A936h 0x00000013 popad 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF634B8A93Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDC4A second address: 7EDC76 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF63516ECA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FF63516ECB0h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 je 00007FF63516ECB0h 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDE4A second address: 7EDE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 jp 00007FF634B8A938h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDE5D second address: 7EDE9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov ch, bh 0x0000000d push 00000004h 0x0000000f mov di, bx 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007FF63516ECB8h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDE9D second address: 7EDEA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE287 second address: 7EE294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF63516ECA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE294 second address: 7EE298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE620 second address: 7EE65D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF63516ECA6h 0x00000009 jmp 00007FF63516ECADh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 call 00007FF63516ECAEh 0x00000017 pop ecx 0x00000018 lea eax, dword ptr [ebp+12482145h] 0x0000001e mov di, dx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 js 00007FF63516ECA6h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE65D second address: 7EE667 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF634B8A936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE667 second address: 7EE698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or dword ptr [ebp+122D1EBCh], edi 0x00000012 lea eax, dword ptr [ebp+12482101h] 0x00000018 sub dword ptr [ebp+122D3552h], ecx 0x0000001e nop 0x0000001f jns 00007FF63516ECAEh 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE698 second address: 7EE6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE6A3 second address: 7EE6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE6A7 second address: 7D45D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 call dword ptr [ebp+122D203Dh] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF634B8A947h 0x00000016 je 00007FF634B8A936h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D45D6 second address: 7D4601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF63516ECB7h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jc 00007FF63516ECB2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D4601 second address: 7D4607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824A8C second address: 824A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECABh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824A9D second address: 824AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824AA5 second address: 824AF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF63516ECB7h 0x0000000c jmp 00007FF63516ECB1h 0x00000011 jmp 00007FF63516ECB3h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824AF0 second address: 824B00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FF634B8A936h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824B00 second address: 824B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECACh 0x00000007 jl 00007FF63516ECA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824C89 second address: 824C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824C8D second address: 824CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECB6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824CA9 second address: 824CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FF634B8A936h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824CB6 second address: 824D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF63516ECA6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007FF63516ECEEh 0x00000013 jmp 00007FF63516ECAFh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF63516ECB8h 0x0000001f jmp 00007FF63516ECB5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824D07 second address: 824D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E6A second address: 824E74 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E74 second address: 824E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E7A second address: 824E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E7E second address: 824E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E86 second address: 824E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E8B second address: 824E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 824E95 second address: 824EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 825001 second address: 825005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 825005 second address: 82500B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82BCF6 second address: 82BCFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82BCFC second address: 82BD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECB0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831594 second address: 8315AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FF634B8A936h 0x00000012 jbe 00007FF634B8A936h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8315AC second address: 8315CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF63516ECB3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830430 second address: 830434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830557 second address: 830574 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF63516ECB2h 0x00000008 pushad 0x00000009 je 00007FF63516ECA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8307EB second address: 8307F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF634B8A936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830A72 second address: 830A80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF63516ECA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830A80 second address: 830A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830A84 second address: 830A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830E89 second address: 830E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF634B8A93Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830E9D second address: 830EA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 830EA1 second address: 830EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF634B8A936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FF634B8A936h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83142D second address: 831431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831431 second address: 831435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831435 second address: 831446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jc 00007FF63516ECA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831446 second address: 831450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 836934 second address: 836938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 836938 second address: 836967 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A946h 0x00000007 jmp 00007FF634B8A945h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 839CD0 second address: 839CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8395A5 second address: 8395B5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF634B8A936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8398A8 second address: 8398D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF63516ECA6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF63516ECAAh 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 push ebx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jc 00007FF63516ECA6h 0x00000021 pop ebx 0x00000022 pushad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8398D4 second address: 8398DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 839A5F second address: 839A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83E8D8 second address: 83E8DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83E8DE second address: 83E8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 844A87 second address: 844ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF634B8A943h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF634B8A946h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 844ABB second address: 844AC5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF63516ECA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 844AC5 second address: 844AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FF634B8A93Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 844AF2 second address: 844AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007FF63516ECA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 843379 second address: 84339E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Ah 0x00000007 jmp 00007FF634B8A942h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84339E second address: 8433A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 843668 second address: 843672 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF634B8A942h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8437B2 second address: 8437B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8437B7 second address: 8437BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8437BD second address: 8437C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 843906 second address: 84390B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE038 second address: 7EE03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE03C second address: 7EE05C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A948h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE05C second address: 7EE060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE060 second address: 7EE0D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FF634B8A938h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 and edx, 551BE54Fh 0x0000002a mov ebx, dword ptr [ebp+12482140h] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FF634B8A938h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D2047h], ecx 0x00000050 add eax, ebx 0x00000052 push eax 0x00000053 pushad 0x00000054 jnc 00007FF634B8A93Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d pop eax 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE0D5 second address: 7EE12C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FF63516ECA8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edx, dword ptr [ebp+122D2980h] 0x0000002d push 00000004h 0x0000002f mov dword ptr [ebp+124764B0h], edi 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a pop eax 0x0000003b pushad 0x0000003c popad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 844771 second address: 8447AF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF634B8A936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF634B8A944h 0x0000000f jp 00007FF634B8A94Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8447AF second address: 8447B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84822B second address: 84822F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84822F second address: 848235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848579 second address: 84857F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84857F second address: 8485AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 jnp 00007FF63516ECA6h 0x0000000c ja 00007FF63516ECA6h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF63516ECB7h 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84A297 second address: 84A2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FF634B8A938h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84A2A9 second address: 84A2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF63516ECB6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84A2C7 second address: 84A2CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 852C43 second address: 852C5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF63516ECAFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 852C5D second address: 852C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 852C63 second address: 852C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF63516ECA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851296 second address: 8512C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF634B8A936h 0x00000012 jmp 00007FF634B8A946h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8512C8 second address: 8512D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851843 second address: 851847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851847 second address: 851869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851869 second address: 851873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851873 second address: 8518A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF63516ECB3h 0x0000000a popad 0x0000000b jo 00007FF63516ECB8h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jl 00007FF63516ECACh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851B58 second address: 851B8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF634B8A946h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851E70 second address: 851E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF63516ECA6h 0x0000000a jmp 00007FF63516ECB7h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851E92 second address: 851EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851EA6 second address: 851EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851EAC second address: 851EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8520FE second address: 852103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 852103 second address: 852108 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 852108 second address: 852114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF63516ECA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8523E3 second address: 8523E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8523E9 second address: 8523FB instructions: 0x00000000 rdtsc 0x00000002 je 00007FF63516ECA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF63516ECA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 852704 second address: 85270A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 855CFB second address: 855D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 855E5B second address: 855E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF634B8A93Eh 0x0000000b jmp 00007FF634B8A946h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 855E89 second address: 855EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF63516ECA6h 0x0000000a pop eax 0x0000000b je 00007FF63516ECB2h 0x00000011 jne 00007FF63516ECA6h 0x00000017 jp 00007FF63516ECA6h 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 855EA9 second address: 855EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 855FF5 second address: 855FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 855FF9 second address: 855FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85649D second address: 8564BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF63516ECADh 0x00000012 jbe 00007FF63516ECA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8565FA second address: 856606 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF634B8A93Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856606 second address: 856613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jbe 00007FF63516ECA6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856613 second address: 856623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FF634B8A936h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856623 second address: 856655 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FF63516ECB2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8568E4 second address: 8568E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864824 second address: 86482E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF63516ECA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86482E second address: 864859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF634B8A93Ch 0x0000000c jnl 00007FF634B8A936h 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FF634B8A947h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jmp 00007FF634B8A93Fh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864859 second address: 864861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864861 second address: 864865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864865 second address: 864869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 863097 second address: 86309C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8634A6 second address: 8634AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86840F second address: 868415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 868415 second address: 868446 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB4h 0x00000007 jnc 00007FF63516ECB5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 868446 second address: 86846F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF634B8A947h 0x00000009 jc 00007FF634B8A936h 0x0000000f popad 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86846F second address: 868475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 868475 second address: 86847E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87A87D second address: 87A886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87E151 second address: 87E161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FF634B8A936h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87E161 second address: 87E171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87FB04 second address: 87FB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF634B8A936h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87FB10 second address: 87FB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87FB22 second address: 87FB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FF634B8A941h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 885D92 second address: 885DA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 888BDA second address: 888BFC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007FF634B8A936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF634B8A946h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 888BFC second address: 888C1C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF63516ECB7h 0x00000008 pop edx 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A461 second address: 88A465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 892F1A second address: 892F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF63516ECB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89BA6A second address: 89BA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF634B8A942h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89BA76 second address: 89BA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89BBCC second address: 89BC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF634B8A942h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FF634B8A943h 0x00000013 jmp 00007FF634B8A943h 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89BC11 second address: 89BC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF63516ECA6h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89BC1C second address: 89BC2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF634B8A936h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89C048 second address: 89C04F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89C1C3 second address: 89C1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 js 00007FF634B8A942h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89C1D1 second address: 89C1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89C1D7 second address: 89C1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89C356 second address: 89C379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF63516ECAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF63516ECABh 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FF63516ECA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89C379 second address: 89C37F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89CE58 second address: 89CE6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF63516ECADh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89CE6E second address: 89CE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89FD62 second address: 89FD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89FD66 second address: 89FDA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FF634B8A93Fh 0x00000010 jno 00007FF634B8A936h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 89FDA8 second address: 89FDBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FF63516ECB2h 0x0000000b jne 00007FF63516ECA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B2FC4 second address: 8B2FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B2FC8 second address: 8B2FF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB8h 0x00000007 jmp 00007FF63516ECADh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B2FF7 second address: 8B3019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF634B8A936h 0x0000000a popad 0x0000000b jmp 00007FF634B8A947h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B480F second address: 8B4813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B4813 second address: 8B481C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B481C second address: 8B482B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FF63516ECA6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8B482B second address: 8B4832 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8AE29A second address: 8AE2B7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF63516ECA6h 0x00000008 jno 00007FF63516ECA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF63516ECABh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8C1D81 second address: 8C1D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF634B8A93Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8C1A8E second address: 8C1A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8C1A94 second address: 8C1AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A940h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF634B8A946h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB812 second address: 8DB818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DAC0F second address: 8DAC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FF634B8A936h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DAC1B second address: 8DAC1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DAEFA second address: 8DAF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB046 second address: 8DB04B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB04B second address: 8DB051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB051 second address: 8DB057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB201 second address: 8DB205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB205 second address: 8DB21C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF63516ECA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DB21C second address: 8DB236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FF634B8A936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FF634B8A936h 0x00000014 jbe 00007FF634B8A936h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE1D1 second address: 8DE1DB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF63516ECACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE275 second address: 8DE27B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE4C3 second address: 8DE4D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE739 second address: 8DE74E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF634B8A940h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE74E second address: 8DE760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FF63516ECACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE760 second address: 8DE764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE764 second address: 8DE769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE769 second address: 8DE76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE76F second address: 8DE7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+12455FD4h], eax 0x0000000e push dword ptr [ebp+122D2A5Ah] 0x00000014 mov edx, edi 0x00000016 call 00007FF63516ECA9h 0x0000001b jmp 00007FF63516ECB0h 0x00000020 push eax 0x00000021 jns 00007FF63516ECAEh 0x00000027 mov eax, dword ptr [esp+04h] 0x0000002b pushad 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f jl 00007FF63516ECA6h 0x00000035 popad 0x00000036 push ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE7BF second address: 8DE816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jne 00007FF634B8A945h 0x0000000f jmp 00007FF634B8A93Fh 0x00000014 jmp 00007FF634B8A949h 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FF634B8A949h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8E322A second address: 8E3246 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF63516ECB2h 0x00000008 je 00007FF63516ECA6h 0x0000000e je 00007FF63516ECA6h 0x00000014 jl 00007FF63516ECB2h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460E9B second address: 5460E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460E9F second address: 5460ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF63516ECACh 0x00000011 adc ecx, 4EF5B768h 0x00000017 jmp 00007FF63516ECABh 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460ECA second address: 5460F06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF634B8A948h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460F06 second address: 5460F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460F0A second address: 5460F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460F10 second address: 5460F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549081E second address: 5490824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5490824 second address: 5490828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430073 second address: 5430090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430090 second address: 5430096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430096 second address: 54300C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A943h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF634B8A945h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54300C7 second address: 5430122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF63516ECB6h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FF63516ECAEh 0x00000019 adc eax, 22FF90E8h 0x0000001f jmp 00007FF63516ECABh 0x00000024 popfd 0x00000025 movzx eax, dx 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FF63516ECAEh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430122 second address: 5430141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF634B8A942h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430141 second address: 543018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5FAE3454h 0x00000008 pushfd 0x00000009 jmp 00007FF63516ECADh 0x0000000e sub cx, 2716h 0x00000013 jmp 00007FF63516ECB1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push dword ptr [ebp+0Ch] 0x0000001f jmp 00007FF63516ECAEh 0x00000024 push dword ptr [ebp+08h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 543018B second address: 543018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 543018F second address: 5430193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430193 second address: 5430199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54301BD second address: 54301C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54301C1 second address: 54301C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450BA3 second address: 5450BC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF63516ECADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450BC8 second address: 5450C16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 461DB882h 0x00000008 push edx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF634B8A944h 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FF634B8A940h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF634B8A947h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450C16 second address: 5450C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF63516ECB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545066E second address: 54506DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF634B8A945h 0x00000009 sbb ah, FFFFFFE6h 0x0000000c jmp 00007FF634B8A941h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FF634B8A940h 0x00000018 add cl, FFFFFF88h 0x0000001b jmp 00007FF634B8A93Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov al, 88h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF634B8A947h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450570 second address: 54505E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF63516ECAAh 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 call 00007FF63516ECB7h 0x00000016 pop esi 0x00000017 pushfd 0x00000018 jmp 00007FF63516ECB9h 0x0000001d or si, 8806h 0x00000022 jmp 00007FF63516ECB1h 0x00000027 popfd 0x00000028 popad 0x00000029 pushad 0x0000002a mov di, cx 0x0000002d mov eax, 7FBE5E89h 0x00000032 popad 0x00000033 popad 0x00000034 xchg eax, ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FF63516ECABh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54505E9 second address: 545062F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF634B8A942h 0x00000009 jmp 00007FF634B8A945h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov ebp, esp 0x00000014 jmp 00007FF634B8A93Eh 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545062F second address: 5450635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450635 second address: 5450644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A93Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450644 second address: 5450648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450284 second address: 5450288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450288 second address: 545028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545028E second address: 54502CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, E703h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b jmp 00007FF634B8A942h 0x00000010 mov dword ptr [esp], ebp 0x00000013 pushad 0x00000014 mov ax, 4A9Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a call 00007FF634B8A948h 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54502CE second address: 545030A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF63516ECABh 0x00000008 and si, 8BBEh 0x0000000d jmp 00007FF63516ECB9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bx, C11Eh 0x0000001f mov esi, ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54600A7 second address: 54600AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54600AB second address: 54600B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54600B1 second address: 54600CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A945h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54600CA second address: 54600FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 mov di, F95Ch 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF63516ECB1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54600FF second address: 5460105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460105 second address: 5460109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460109 second address: 546013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF634B8A93Fh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF634B8A945h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549074A second address: 54907C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 jmp 00007FF63516ECB3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007FF63516ECAFh 0x00000015 pushfd 0x00000016 jmp 00007FF63516ECB8h 0x0000001b add cx, BD98h 0x00000020 jmp 00007FF63516ECABh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 jmp 00007FF63516ECB4h 0x0000002e mov ebx, ecx 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push edx 0x00000037 pop esi 0x00000038 movsx ebx, ax 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54907C6 second address: 54907FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A947h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b call 00007FF634B8A944h 0x00000010 mov esi, 2F55EA91h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470305 second address: 547030B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547030B second address: 547032A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A944h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547032A second address: 5470375 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007FF63516ECB5h 0x0000000c popad 0x0000000d mov eax, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ax, dx 0x00000016 pushfd 0x00000017 jmp 00007FF63516ECAFh 0x0000001c jmp 00007FF63516ECB3h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470375 second address: 54703AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007FF634B8A93Eh 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703AD second address: 54703B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703B1 second address: 54703B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703B7 second address: 54703F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF63516ECB2h 0x00000009 and al, FFFFFFE8h 0x0000000c jmp 00007FF63516ECABh 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF63516ECAEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450489 second address: 54504C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF634B8A941h 0x00000009 sbb ax, 33B6h 0x0000000e jmp 00007FF634B8A941h 0x00000013 popfd 0x00000014 mov ebx, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54504C1 second address: 54504C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54504C5 second address: 54504C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54504C9 second address: 54504CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54504CF second address: 54504ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A941h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ch, dh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54504ED second address: 545051E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov bx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx ebx, cx 0x00000014 pushfd 0x00000015 jmp 00007FF63516ECAAh 0x0000001a adc cx, BB98h 0x0000001f jmp 00007FF63516ECABh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460DAD second address: 5460DDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FF634B8A943h 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460DDC second address: 5460E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, B1B1h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF63516ECAAh 0x00000014 jmp 00007FF63516ECB5h 0x00000019 popfd 0x0000001a push esi 0x0000001b pushfd 0x0000001c jmp 00007FF63516ECB7h 0x00000021 sbb ax, 587Eh 0x00000026 jmp 00007FF63516ECB9h 0x0000002b popfd 0x0000002c pop eax 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 jmp 00007FF63516ECB7h 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF63516ECB0h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460E73 second address: 5460E79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460E79 second address: 5460E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470132 second address: 5470136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470136 second address: 547013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547013C second address: 547015C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF634B8A93Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547015C second address: 5470160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470160 second address: 5470166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470166 second address: 547016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547016C second address: 5470170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470170 second address: 5470180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov cx, D61Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480DAB second address: 5480DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480DAF second address: 5480DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480DB3 second address: 5480DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480DB9 second address: 5480DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF63516ECB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480ED4 second address: 5480EFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF634B8A947h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor eax, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480EFD second address: 5480F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F01 second address: 5480F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F07 second address: 5480F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F0D second address: 5480F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F11 second address: 5480F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 1Fh 0x0000000b pushad 0x0000000c call 00007FF63516ECB3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F32 second address: 5480F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov edx, 157C807Ah 0x0000000a popad 0x0000000b ror eax, cl 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FF634B8A93Ah 0x00000016 sub eax, 5A45C7B8h 0x0000001c jmp 00007FF634B8A93Bh 0x00000021 popfd 0x00000022 mov dx, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F63 second address: 5480F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F6A second address: 5480F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 leave 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF634B8A946h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F8A second address: 5480F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F90 second address: 5480F94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480F94 second address: 549001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c mov esi, eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 xor esi, dword ptr [00632014h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push eax 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call 00007FF63A00EBE6h 0x00000023 push FFFFFFFEh 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007FF63516ECB2h 0x0000002d pop eax 0x0000002e mov ebx, 7E590666h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549001E second address: 5490024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5490024 second address: 5490028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5490028 second address: 5490037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5490037 second address: 549003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549003B second address: 5490052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A943h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5490052 second address: 549007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007FF63A00EC4Fh 0x00000011 mov edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edi, 7B6396FEh 0x0000001b mov esi, edx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549007D second address: 54900D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF634B8A93Eh 0x00000009 jmp 00007FF634B8A945h 0x0000000e popfd 0x0000000f call 00007FF634B8A940h 0x00000014 pop eax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF634B8A948h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54900D6 second address: 54900E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54900E5 second address: 549010B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549010B second address: 5490111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5490111 second address: 5490126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A941h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 544006B second address: 5440071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440071 second address: 544008A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF634B8A93Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 544008A second address: 5440090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440090 second address: 5440096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440096 second address: 544009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 544009A second address: 54400BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF634B8A944h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54400BE second address: 54400F9 instructions: 0x00000000 rdtsc 0x00000002 call 00007FF63516ECB8h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov bx, C7D6h 0x0000000e popad 0x0000000f and esp, FFFFFFF8h 0x00000012 jmp 00007FF63516ECADh 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push edi 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54400F9 second address: 544010E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A941h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 544010E second address: 5440112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440112 second address: 5440130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF634B8A943h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440130 second address: 5440153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440153 second address: 5440159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440159 second address: 544015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 544015E second address: 54401A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, D0h 0x00000005 mov bx, 6F32h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FF634B8A946h 0x00000012 mov dword ptr [esp], ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007FF634B8A93Ch 0x0000001e sbb cx, 3F78h 0x00000023 jmp 00007FF634B8A93Bh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54401A5 second address: 544021A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FF63516ECB2h 0x0000000f sub eax, 1EF76908h 0x00000015 jmp 00007FF63516ECABh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebx, dword ptr [ebp+10h] 0x0000001f jmp 00007FF63516ECB6h 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF63516ECB7h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 544021A second address: 5440255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, DDh 0x0000000d mov ecx, 52DCFE2Fh 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF634B8A941h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440255 second address: 54402C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007FF63516ECACh 0x00000012 call 00007FF63516ECB2h 0x00000017 mov eax, 6B61A701h 0x0000001c pop eax 0x0000001d popad 0x0000001e push ecx 0x0000001f jmp 00007FF63516ECAAh 0x00000024 mov dword ptr [esp], edi 0x00000027 jmp 00007FF63516ECB0h 0x0000002c test esi, esi 0x0000002e pushad 0x0000002f mov si, 131Dh 0x00000033 popad 0x00000034 je 00007FF6A73CD002h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54402C5 second address: 54402CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54402CB second address: 5440386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF63516ECB9h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000013 jmp 00007FF63516ECAAh 0x00000018 je 00007FF6A73CCFD5h 0x0000001e jmp 00007FF63516ECB0h 0x00000023 mov edx, dword ptr [esi+44h] 0x00000026 jmp 00007FF63516ECB0h 0x0000002b or edx, dword ptr [ebp+0Ch] 0x0000002e jmp 00007FF63516ECB0h 0x00000033 test edx, 61000000h 0x00000039 pushad 0x0000003a mov eax, edx 0x0000003c popad 0x0000003d jne 00007FF6A73CCFECh 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 call 00007FF63516ECB0h 0x0000004b pop eax 0x0000004c pushfd 0x0000004d jmp 00007FF63516ECABh 0x00000052 adc ch, 0000000Eh 0x00000055 jmp 00007FF63516ECB9h 0x0000005a popfd 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440386 second address: 5440396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A93Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440396 second address: 54403F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f jmp 00007FF63516ECB6h 0x00000014 jne 00007FF6A73CCF86h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FF63516ECADh 0x00000023 xor si, 0356h 0x00000028 jmp 00007FF63516ECB1h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307BD second address: 54307C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307C1 second address: 54307C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307C7 second address: 54307E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307E0 second address: 54307E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307E6 second address: 54307EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307EC second address: 54307F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54307F0 second address: 5430844 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A941h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FF634B8A93Eh 0x00000011 mov ebp, esp 0x00000013 jmp 00007FF634B8A940h 0x00000018 and esp, FFFFFFF8h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF634B8A947h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430A27 second address: 5430AB8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF63516ECAAh 0x00000008 and ax, 11C8h 0x0000000d jmp 00007FF63516ECABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 je 00007FF6A73D4601h 0x0000001c jmp 00007FF63516ECB6h 0x00000021 test byte ptr [77726968h], 00000002h 0x00000028 pushad 0x00000029 mov bl, ch 0x0000002b jmp 00007FF63516ECB3h 0x00000030 popad 0x00000031 jne 00007FF6A73D45DAh 0x00000037 jmp 00007FF63516ECB6h 0x0000003c mov edx, dword ptr [ebp+0Ch] 0x0000003f jmp 00007FF63516ECB0h 0x00000044 xchg eax, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430AB8 second address: 5430ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430ABC second address: 5430AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430AC0 second address: 5430AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430AC6 second address: 5430B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF63516ECABh 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push ecx 0x00000012 call 00007FF63516ECABh 0x00000017 pop eax 0x00000018 pop ebx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF63516ECB4h 0x00000020 sub ax, 20D8h 0x00000025 jmp 00007FF63516ECABh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FF63516ECB8h 0x00000031 adc al, 00000038h 0x00000034 jmp 00007FF63516ECABh 0x00000039 popfd 0x0000003a popad 0x0000003b popad 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e movzx eax, bx 0x00000041 pushfd 0x00000042 jmp 00007FF63516ECB1h 0x00000047 sub esi, 67A631D6h 0x0000004d jmp 00007FF63516ECB1h 0x00000052 popfd 0x00000053 popad 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5430B82 second address: 5430B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440D1F second address: 5440D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440A43 second address: 5440AA4 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FF634B8A945h 0x0000000d sbb ch, 00000066h 0x00000010 jmp 00007FF634B8A941h 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FF634B8A93Eh 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edx, ecx 0x00000023 jmp 00007FF634B8A948h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440AA4 second address: 5440ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440ABA second address: 5440ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5440ABE second address: 5440AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0A89 second address: 54B0A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0A8D second address: 54B0A9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0A9F second address: 54B0B24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF634B8A941h 0x00000009 add eax, 4DB1C8D6h 0x0000000f jmp 00007FF634B8A941h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FF634B8A940h 0x0000001b or ch, FFFFFFF8h 0x0000001e jmp 00007FF634B8A93Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FF634B8A944h 0x0000002f sbb eax, 4F896958h 0x00000035 jmp 00007FF634B8A93Bh 0x0000003a popfd 0x0000003b mov ch, 7Eh 0x0000003d popad 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov ch, dh 0x00000044 push ecx 0x00000045 pop edx 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0B24 second address: 54B0B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF63516ECAEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FF63516ECB0h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0B65 second address: 54B0B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0B69 second address: 54B0B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0B6D second address: 54B0B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B002C second address: 54B0032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A0E3A second address: 54A0E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF634B8A93Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A0E4C second address: 54A0E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450090 second address: 5450096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02C9 second address: 54B02CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02CF second address: 54B02D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02D5 second address: 54B02D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02D9 second address: 54B02DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02DD second address: 54B02EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02EC second address: 54B02F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B02F2 second address: 54B033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF63516ECB6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF63516ECB7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B033B second address: 54B0341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B0341 second address: 54B037D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b jmp 00007FF63516ECB7h 0x00000010 push dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF63516ECB5h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54603E0 second address: 546045B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF634B8A93Fh 0x00000009 add ah, 0000000Eh 0x0000000c jmp 00007FF634B8A949h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FF634B8A940h 0x00000018 add ax, D388h 0x0000001d jmp 00007FF634B8A93Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 call 00007FF634B8A939h 0x0000002b jmp 00007FF634B8A946h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546045B second address: 546045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546045F second address: 5460465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460465 second address: 546049E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF63516ECAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FF63516ECB9h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov di, 1990h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546049E second address: 54604B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, ax 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF634B8A93Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604B8 second address: 54604BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604BE second address: 54604C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604C2 second address: 54604DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF63516ECABh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604DA second address: 54604DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604DE second address: 54604E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604E4 second address: 54604EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604EA second address: 54604EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604EE second address: 5460567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 17A3124Dh 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF634B8A949h 0x00000014 add esi, 7A3D46D6h 0x0000001a jmp 00007FF634B8A941h 0x0000001f popfd 0x00000020 push esi 0x00000021 pushad 0x00000022 popad 0x00000023 pop ebx 0x00000024 popad 0x00000025 xor dword ptr [esp], 60C4BC4Dh 0x0000002c pushad 0x0000002d mov si, dx 0x00000030 popad 0x00000031 mov eax, dword ptr fs:[00000000h] 0x00000037 jmp 00007FF634B8A947h 0x0000003c nop 0x0000003d pushad 0x0000003e mov eax, 111A443Bh 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460567 second address: 54605B4 instructions: 0x00000000 rdtsc 0x00000002 call 00007FF63516ECACh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 mov si, 9A59h 0x00000014 popad 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF63516ECB1h 0x0000001f sbb ax, CDA6h 0x00000024 jmp 00007FF63516ECB1h 0x00000029 popfd 0x0000002a mov di, cx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54605B4 second address: 5460603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 7B4F0065h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 1Ch 0x0000000e pushad 0x0000000f mov dl, ah 0x00000011 mov cx, di 0x00000014 popad 0x00000015 push esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dx, 8F42h 0x0000001d pushfd 0x0000001e jmp 00007FF634B8A943h 0x00000023 or ah, 0000003Eh 0x00000026 jmp 00007FF634B8A949h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460603 second address: 5460609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460609 second address: 5460671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e jmp 00007FF634B8A941h 0x00000013 popad 0x00000014 xchg eax, esi 0x00000015 jmp 00007FF634B8A93Eh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF634B8A93Ch 0x00000024 and ah, FFFFFFC8h 0x00000027 jmp 00007FF634B8A93Bh 0x0000002c popfd 0x0000002d jmp 00007FF634B8A948h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460671 second address: 5460683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF63516ECAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460683 second address: 546069D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF634B8A93Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov eax, edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546069D second address: 54606C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 mov edi, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, edi 0x0000000b jmp 00007FF63516ECAEh 0x00000010 push eax 0x00000011 jmp 00007FF63516ECABh 0x00000016 xchg eax, edi 0x00000017 pushad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 63EBEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7E67D0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 6BEBEF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 8667D0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 87CB3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 87CBBE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 87CAEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: A2790B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: A4F5B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: A31714 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: AB2FB6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Special instruction interceptor: First address: A9CB2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Special instruction interceptor: First address: A9CC25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Special instruction interceptor: First address: C19221 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Special instruction interceptor: First address: C3FB55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Special instruction interceptor: First address: A9A696 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Special instruction interceptor: First address: 72FC36 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Special instruction interceptor: First address: 72FD2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Special instruction interceptor: First address: 3ADCA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Special instruction interceptor: First address: 3ADBF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Special instruction interceptor: First address: 54CE18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Special instruction interceptor: First address: 81CB1C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Special instruction interceptor: First address: 81CA04 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Special instruction interceptor: First address: 81A44A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Special instruction interceptor: First address: 9D5846 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Special instruction interceptor: First address: A5AA42 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Special instruction interceptor: First address: 3B47F0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 611DCA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 611DBF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 62BCE18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Special instruction interceptor: First address: 61247F0 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Memory allocated: 48D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Memory allocated: 5080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Memory allocated: 5300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Memory allocated: 5100000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_054B0250 rdtsc

1_2_054B0250

Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1145	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1121	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1127	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1154	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 995	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1148	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 1034
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 1028
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 1044
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 977
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 1066
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 1023
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Window / User API: threadDelayed 1029
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Window / User API: threadDelayed 660
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window / User API: threadDelayed 972
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window / User API: threadDelayed 980
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window / User API: threadDelayed 1516
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window / User API: threadDelayed 979
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window / User API: threadDelayed 1490
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Window / User API: threadDelayed 974

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033702001\31f59e2a09.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033701001\01c00b6fe2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033703001\ba5ccf6bd8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033707001\a0d135de95.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD2.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2596	Thread sleep count: 1145 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2596	Thread sleep time: -2291145s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2312	Thread sleep count: 1121 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2312	Thread sleep time: -2243121s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2216	Thread sleep count: 209 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2216	Thread sleep time: -6270000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5652	Thread sleep count: 1063 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5652	Thread sleep time: -2127063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8076	Thread sleep count: 1127 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8076	Thread sleep time: -2255127s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3908	Thread sleep count: 1154 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3908	Thread sleep time: -2309154s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2800	Thread sleep count: 995 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2800	Thread sleep time: -1990995s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4252	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4252	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2032	Thread sleep count: 1148 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2032	Thread sleep time: -2297148s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe TID: 7744	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 2660	Thread sleep time: -2069034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 5932	Thread sleep time: -2057028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 1476	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 1840	Thread sleep time: -2089044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 6692	Thread sleep time: -1954977s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 8444	Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 5400	Thread sleep time: -2133066s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 5820	Thread sleep time: -2047023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe TID: 5668	Thread sleep time: -2059029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 3036	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 4816	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 2496	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 1620	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 7860	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 6764	Thread sleep time: -54027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 4892	Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 6828	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 1512	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 8012	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 6196	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 5732	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 5972	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe TID: 6964	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe TID: 3936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 5952	Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 4072	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 4292	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 3088	Thread sleep count: 156 > 30
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 3088	Thread sleep time: -936000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 7744	Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe TID: 7940	Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7560	Thread sleep count: 972 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7560	Thread sleep time: -1944972s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 6780	Thread sleep count: 980 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 6780	Thread sleep time: -1960980s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 5852	Thread sleep count: 178 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 5852	Thread sleep count: 152 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 5852	Thread sleep count: 91 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 5852	Thread sleep count: 158 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7916	Thread sleep count: 1516 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7916	Thread sleep time: -3033516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 6868	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 5816	Thread sleep count: 979 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 5816	Thread sleep time: -1958979s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7944	Thread sleep count: 1490 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7944	Thread sleep time: -2981490s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7700	Thread sleep count: 974 > 30
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe TID: 7700	Thread sleep time: -1948974s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\dxdiag.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Source: skotes.exe, skotes.exe, 00000003.00000002.1487717715.0000000000847000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: c061393b55.exe, 00000009.00000003.1990210927.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: db0740f8e4.exe, 0000000D.00000002.2182255416.000000000142B000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2123524420.0000000001206000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122754416.0000000001205000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385366413.000000000141B000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: e0ac53ba53.exe, 00000015.00000003.2155752291.0000000005952000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696501413p
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: file.exe, 00000001.00000002.1442336336.00000000007C7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1479897179.0000000000847000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.1487717715.0000000000847000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: db0740f8e4.exe, 0000000D.00000002.2182255416.0000000001400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX1D
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: cf4bd6029c.exe, 00000016.00000003.2237466049.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_054B0250 rdtsc

1_2_054B0250

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 13_2_00442080 LdrInitializeThunk,

13_2_00442080

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0060652B mov eax, dword ptr fs:[00000030h]	1_2_0060652B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0060A302 mov eax, dword ptr fs:[00000030h]	1_2_0060A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0068A302 mov eax, dword ptr fs:[00000030h]	2_2_0068A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0068652B mov eax, dword ptr fs:[00000030h]	2_2_0068652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0068A302 mov eax, dword ptr fs:[00000030h]	3_2_0068A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_0068652B mov eax, dword ptr fs:[00000030h]	3_2_0068652B
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 11_2_028D7FE5 mov edi, dword ptr fs:[00000030h]	11_2_028D7FE5
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Code function: 11_2_028D8162 mov edi, dword ptr fs:[00000030h]	11_2_028D8162

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Code function: 11_2_028D7FE5 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

11_2_028D7FE5

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe

Thread created: unknown EIP: 5C8A60

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Memory written: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe	Memory written: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe base: 5C0000 value starts with: 4D5A

LummaC encrypted strings found

Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: db0740f8e4.exe, 0000000B.00000002.2224918424.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click
Source: e0ac53ba53.exe, 00000015.00000003.2093443275.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe "C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe "C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe "C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe "C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe "C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe "C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe "C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe "C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Process created: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe "C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: skotes.exe, skotes.exe, 00000003.00000002.1488107501.000000000088A000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033701001\01c00b6fe2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033701001\01c00b6fe2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033702001\31f59e2a09.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033702001\31f59e2a09.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033703001\ba5ccf6bd8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033703001\ba5ccf6bd8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033707001\a0d135de95.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033707001\a0d135de95.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033708001\627cf45047.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033708001\627cf45047.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\jaraco VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dxdiag.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\dxdiag.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\dxdiag.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_005ECBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

1_2_005ECBEA

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows Defender\MsMpeng.exe
Source: e0ac53ba53.exe, e0ac53ba53.exe, 00000015.00000003.2240142291.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2240312371.0000000005931000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2253717755.0000000001255000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2252886391.0000000005931000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386196260.0000000001480000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2370059128.0000000001480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.skotes.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1486452961.0000000000651000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1479494441.0000000000651000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cf4bd6029c.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e0ac53ba53.exe PID: 6660, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000032.00000003.2429756005.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2243727892.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: db0740f8e4.exe, 0000000D.00000002.2182255416.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: db0740f8e4.exe, 0000000D.00000002.2182255416.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: db0740f8e4.exe, 0000000D.00000002.2182255416.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: e0ac53ba53.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: e0ac53ba53.exe	String found in binary or memory: \Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2
Source: e0ac53ba53.exe	String found in binary or memory: \Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2
Source: db0740f8e4.exe, 0000000D.00000002.2182255416.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: e0ac53ba53.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: e0ac53ba53.exe	String found in binary or memory: gbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP

Source: C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe	Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe	Directory queried: number of queries: 1001

Source: Yara match	File source: 00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2299582589.0000000001464000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2312742082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e0ac53ba53.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cf4bd6029c.exe PID: 5516, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cf4bd6029c.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e0ac53ba53.exe PID: 6660, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000032.00000003.2429756005.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2243727892.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	411 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Input Capture	22 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Bypass User Account Control	5 Obfuscated Files or Information	Security Account Manager	346 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	22 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	312 Process Injection	1 Timestomp	LSA Secrets	1181 Security Software Discovery	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	2 Bypass User Account Control	DCSync	581 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	581 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	58%	Virustotal		Browse
file.exe	58%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[4].exe	55%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[3].exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.LummaC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[4].exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[5].exe	22%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[3].exe	52%	ReversingLabs	Win32.Ransomware.FileCrypt
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	48%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[3].exe	37%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[4].exe	39%	ReversingLabs	Win32.Infostealer.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[5].exe	83%	ReversingLabs	Win32.Ransomware.FileCrypt
C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe	48%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1033699001\8c9c7a39f7.exe	37%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1033700001\24a1c81f44.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.LummaC
C:\Users\user\AppData\Local\Temp\1033702001\31f59e2a09.exe	39%	ReversingLabs	Win32.Infostealer.Jalapeno
C:\Users\user\AppData\Local\Temp\1033703001\ba5ccf6bd8.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1033704001\a85084d20f.exe	52%	ReversingLabs	Win32.Ransomware.FileCrypt
C:\Users\user\AppData\Local\Temp\1033705001\54d18f4f90.exe	55%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1033706001\4e6501ac3b.exe	83%	ReversingLabs	Win32.Ransomware.FileCrypt
C:\Users\user\AppData\Local\Temp\1033707001\a0d135de95.exe	22%	ReversingLabs
C:\Users\user\AppData\Local\Temp\ITH3569MCVRCZNYE5XQ77V.exe	58%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sputnik-1985.com/apidP.a	100%	Avira URL Cloud	malware
https://community.fas	0%	Avira URL Cloud	safe
https://sputnik-1985.com/apisYE	100%	Avira URL Cloud	malware
https://importlib-metadata.readthedocs.io/	0%	Avira URL Cloud	safe
https://sputnik-1985.com/=k	100%	Avira URL Cloud	malware
http://185.215.113.16/off/def.exe;_cd_	0%	Avira URL Cloud	safe
https://wheel.readthedocs.io/en/stable/news.html	0%	Avira URL Cloud	safe
https://sputnik-1985.com:443/apibe	100%	Avira URL Cloud	malware
https://steamcommunity.co	100%	Avira URL Cloud	phishing
https://sputnik-1985.com/apiu(	100%	Avira URL Cloud	malware
http://cacerts.digiX	0%	Avira URL Cloud	safe
https://sputnik-1985.com:443/api	100%	Avira URL Cloud	malware
https://community.fastl9	0%	Avira URL Cloud	safe
https://sputnik-1985.com/apiG	100%	Avira URL Cloud	malware
https://community.fastly.stea	0%	Avira URL Cloud	safe
https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm	0%	Avira URL Cloud	safe
https://sputnik-1985.com/D	100%	Avira URL Cloud	malware
https://sputnik-1985.com/apiS	100%	Avira URL Cloud	malware
https://sputnik-1985.com/l	100%	Avira URL Cloud	malware
http://185.215.113.16/off/def.exestat	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
nearycrepso.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/linkfi	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/astral-sh/ruff	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamst	cf4bd6029c.exe, 00000016.00000003.2300941183.0000000001461000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2328481395.0000000001461000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/issues	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wheel.readthedocs.io/en/stable/news.html	c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://importlib-metadata.readthedocs.io/	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg	e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	c061393b55.exe, 0000000A.00000003.2013216168.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015713624.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2012943211.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015079597.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2014154422.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016222955.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011995088.00000200D3956000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016659534.00000200D3956000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700	e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/importlib-metadata/badge/?version=latest	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/moda	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta	e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;	c061393b55.exe, 0000000A.00000003.2011159095.00000200D395F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011159095.00000200D3920000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900	e0ac53ba53.exe, 00000015.00000003.2122754416.00000000011D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/wheel	c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/dev/peps/pep-0427/	c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	c061393b55.exe, 0000000A.00000003.2013381002.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017270583.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015929025.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2012943211.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015459372.00000200D3870000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011705665.00000200D3C7B000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2013548335.00000200D3881000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2024-informational	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/=k	cf4bd6029c.exe, 00000016.00000003.2300615762.000000000146F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fa	e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrE	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.#U	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe;_cd_	e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/v/importlib_metadata.svg	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fas	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	c061393b55.exe, 0000000A.00000003.2016384535.00000200D3CAD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016968942.00000200D3C05000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apidP.a	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tools.ietf.org/html/rfc7231#section-4.3.6)	c061393b55.exe, 0000000A.00000003.2016801906.00000200D3D4F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2018241146.00000200D3D46000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017650493.00000200D3D58000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2018067959.00000200D3D6C000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016801906.00000200D3D5F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017986400.00000200D3D58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apisYE	cf4bd6029c.exe, 00000016.00000003.2261072491.0000000005B31000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2265081690.0000000005B31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://help.steampowered.com/en/	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com:443/apibe	cf4bd6029c.exe, 00000016.00000003.2299582589.0000000001480000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/apiu(	e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2240142291.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2253717755.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	c061393b55.exe, 0000000A.00000003.2009187642.00000200D35DF000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009919760.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2010438253.00000200D35DE000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2009512862.00000200D35D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.co	cf4bd6029c.exe, 00000016.00000003.2300941183.0000000001461000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386293420.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	e0ac53ba53.exe, 00000015.00000003.2177654462.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2264083329.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi	e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cacerts.digiX	c061393b55.exe, 00000009.00000003.2004321815.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 00000009.00000003.1989355560.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sputnik-1985.com:443/api	e0ac53ba53.exe, e0ac53ba53.exe, 00000015.00000003.2176064084.000000000592E000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2176304559.000000000592E000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2176446364.000000000592E000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2252886391.0000000005931000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2386196260.0000000001480000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2259495619.0000000005BB2000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2370059128.0000000001480000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.0000000001407000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastl9	e0ac53ba53.exe, 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	e0ac53ba53.exe, 00000015.00000003.2180936760.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2196857322.0000000001470000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apiG	cf4bd6029c.exe, 00000016.00000003.2482960425.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/setuptools/	c061393b55.exe, 00000009.00000003.2003163720.0000020D0AFC7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	c061393b55.exe, 0000000A.00000003.2016296141.00000200D38FA000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2017404603.00000200D392B000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2015079597.00000200D38FD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016878815.00000200D3907000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	e0ac53ba53.exe, 00000015.00000003.2136075338.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135809145.00000000058EB000.00000004.00000800.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2135567631.00000000058EE000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214275467.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2214000185.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.stea	cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2197558404.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2385193919.000000000145D000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2312742082.000000000144E000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2299818266.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/	c061393b55.exe, 0000000A.00000003.2016384535.00000200D3CAD000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2016968942.00000200D3C05000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/D	cf4bd6029c.exe, 00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/steam/random.exe	cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apiS	cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm	c061393b55.exe, 00000009.00000003.2002397575.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64	e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/p	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/	e0ac53ba53.exe, e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2473339717.0000000001466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/l	cf4bd6029c.exe, 00000016.00000003.2326932620.0000000001469000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	e0ac53ba53.exe, 00000015.00000003.2182075458.0000000005930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exestat	e0ac53ba53.exe, 00000015.00000003.2402936438.0000000001258000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2403897693.000000000125A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	c061393b55.exe, 00000009.00000003.1996177520.0000020D0AFC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	e0ac53ba53.exe, 00000015.00000003.2123524420.000000000120D000.00000004.00000020.00020000.00000000.sdmp, e0ac53ba53.exe, 00000015.00000003.2122630940.0000000001255000.00000004.00000020.00020000.00000000.sdmp, cf4bd6029c.exe, 00000016.00000003.2185579285.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;r	c061393b55.exe, 0000000A.00000003.2011159095.00000200D395F000.00000004.00000020.00020000.00000000.sdmp, c061393b55.exe, 0000000A.00000003.2011159095.00000200D3920000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
104.26.9.59	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.185.206	unknown	United States	15169	GOOGLEUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
149.154.167.220	unknown	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
185.156.73.23	unknown	Russian Federation	48817	RELDAS-NETRU	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
104.102.49.254	unknown	United States	16625	AKAMAI-ASUS	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
64.233.184.84	unknown	United States	15169	GOOGLEUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585286
Start date and time:	2025-01-07 13:17:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 20m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	59
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@119/177@0/16
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target e0ac53ba53.exe, PID 6660 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
07:19:02	API Interceptor	18110328x Sleep call for process: skotes.exe modified
07:19:26	API Interceptor	7x Sleep call for process: db0740f8e4.exe modified
07:19:31	API Interceptor	8643x Sleep call for process: e0ac53ba53.exe modified
07:19:37	API Interceptor	110x Sleep call for process: cf4bd6029c.exe modified
07:19:43	API Interceptor	1x Sleep call for process: WerFault.exe modified
07:20:06	API Interceptor	381x Sleep call for process: 05c06146f2.exe modified
07:20:30	API Interceptor	177733x Sleep call for process: b3206cdf20.exe modified
13:18:23	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
13:19:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cf4bd6029c.exe C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe
13:19:49	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 05c06146f2.exe C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe
13:19:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 959ae18948.exe C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe
13:20:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run caf9f1bef3.exe C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe
13:20:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cf4bd6029c.exe C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe
13:20:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 05c06146f2.exe C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe
13:20:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 959ae18948.exe C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe
13:20:47	Task Scheduler	Run new task: Gxtuum path: C:\Users\user\AppData\Local\Temp\ce48d5f5a7\Gxtuum.exe
13:20:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run caf9f1bef3.exe C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe
13:21:17	Task Scheduler	Run new task: HpUpdate path: C:\Users\user\AppData\Roaming\clichannel_test\msn.exe
13:21:17	Task Scheduler	Run new task: watcherChrome_rcc_4 path: C:\Users\user\AppData\Roaming\clichannel_test\msn.exe
13:25:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 71c49c09f3.exe C:\Users\user\AppData\Local\Temp\1033710001\71c49c09f3.exe
13:25:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a8ee70bf76.exe C:\Users\user\AppData\Local\Temp\1033711001\a8ee70bf76.exe
13:25:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 5a8e114648.exe C:\Users\user\AppData\Local\Temp\1033712001\5a8e114648.exe
13:25:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run e9a751f949.exe C:\Users\user\AppData\Local\Temp\1033713001\e9a751f949.exe
13:26:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 71c49c09f3.exe C:\Users\user\AppData\Local\Temp\1033710001\71c49c09f3.exe
13:26:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a8ee70bf76.exe C:\Users\user\AppData\Local\Temp\1033711001\a8ee70bf76.exe
13:26:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 5a8e114648.exe C:\Users\user\AppData\Local\Temp\1033712001\5a8e114648.exe
13:26:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run e9a751f949.exe C:\Users\user\AppData\Local\Temp\1033713001\e9a751f949.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	185.215.113.43/Zu7JuNko/index.php
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	Fi3ptS6O8D.exe	Get hash	malicious	Amadey	Browse	185.215.113.43/Zu7JuNko/index.php
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	LIWYEYWSOj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
104.26.9.59	LightSpoofer.exe	Get hash	malicious	Unknown	Browse
	Nexus-Executor.exe	Get hash	malicious	Unknown	Browse
	WaveExecutor.exe	Get hash	malicious	Unknown	Browse
	Nexus-Executor.exe	Get hash	malicious	Unknown	Browse
	Fortexternal.exe	Get hash	malicious	Unknown	Browse
	Fortexternal.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Ailurophile Stealer, Amadey, LummaC Stealer, Stealc	Browse
	ZoomInstaller.exe	Get hash	malicious	Unknown	Browse
	ZoomInstaller.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	104.21.80.209
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	104.21.80.209
	64pOGv7k4N.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.48.1
	https://rebrand.ly/3d446f	Get hash	malicious	HTMLPhisher	Browse	104.26.5.15
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	172.67.148.216
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	185.215.113.16
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	185.215.113.206
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	Fi3ptS6O8D.exe	Get hash	malicious	Amadey	Browse	185.215.113.43
	random(4).exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	random(6).exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	185.215.113.206
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
CLOUDFLARENETUS	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	104.21.80.209
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	104.21.80.209
	64pOGv7k4N.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.48.1
	https://rebrand.ly/3d446f	Get hash	malicious	HTMLPhisher	Browse	104.26.5.15
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	172.67.148.216
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
MICROSOFT-CORP-MSN-AS-BLOCKUS	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	52.109.28.46
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	204.79.197.219
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	52.113.194.132
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	204.79.197.203
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	204.79.197.203
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	40.76.134.238
	https://147y3.trk.elasticemail.com/tracking/click?d=l6DX1ZxoYxoIu3Ps_nHCw2dpTGYsp50KhPgdcLAPZ98lDQqXluI2jbk2Kz6cWaRjWchw5Igbhe-BSjXhcIk5khB6_31XWJ3KxF070e3rxxM9hJmShBhAM7tP0jesqnjYkgFpEuivEIV6QQKt0-F18YQ1#out/0023m/435/85jy1/26p0/41/77	Get hash	malicious	Unknown	Browse	52.191.212.24
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	20.13.96.71
	miori.x86.elf	Get hash	malicious	Unknown	Browse	22.35.211.83
	x86_64.elf	Get hash	malicious	Mirai	Browse	51.111.190.47

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse
	random(4).exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse
	random.exe	Get hash	malicious	Stealc, Vidar	Browse
	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
C:\ProgramData\mozglue.dll	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	random(4).exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse
	random.exe	Get hash	malicious	Stealc, Vidar	Browse
	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse

Input	Output
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=e0ac53ba53.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://learn.microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://learn.microsoft.com
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=e0ac53ba53.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Process:	C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03799545499236577
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZru/bNb/fc3DDTnHI:58r54w0VW3xWZrwbFHc3T
MD5:	96AB9233CA2AB3982F98B1BA44CFFE32
SHA1:	A72C6AF1881274392B7D73594D78C4D3F1B91428
SHA-256:	C764FE5DA2665335A3C2E60091F08E21A16CEC35EFD453AE092FEB1D7C3D69BC
SHA-512:	E09E96834C049E56FE5E9A56BA1635CA6A4FB5DF2F2EB8F339C94D4BCF2D24150592B2833D084BD4BD7D0319B4D5C493B5B49A64310E084684375D645DD8CEEC
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8988395542196429
Encrypted:	false
SSDEEP:	96:fbYF2sX+bs3gejTOAqyS3QXIDcQlc6VcEdcw3V+BHUHZ0ownOgHkEwH3dEFYAKcR:MoO+blA0LR3EaGGzuiFcaZ24IO8v
MD5:	39E70F71C9F81308B926FF4DAD34BCBF
SHA1:	B489A03D255145AC0F0C83D0964BFAF42F68634D
SHA-256:	67FD2C77E1E1EF4B319D30B9F55A53C991FF8AA5DFE9B234A174248764E2D698
SHA-512:	DED6654ECF2C0442B4DFC2A5AFBF47B63994583A417F80F76346BADB85BAC783C1A78ECE76950855BDB9F486F050C949C09F05F9A836348E6A6BC277FE9E837C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.2.5.9.6.6.6.4.9.3.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.2.5.9.6.8.0.2.4.3.4.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.8.7.3.8.4.a.-.7.d.6.9.-.4.e.7.a.-.b.9.2.9.-.e.6.0.b.6.c.4.b.5.f.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.1.3.7.8.7.f.-.b.8.b.4.-.4.1.1.c.-.8.6.3.4.-.a.a.b.3.d.e.e.d.c.9.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.b.0.7.4.0.f.8.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.a.8.-.0.0.0.1.-.0.0.1.3.-.b.b.5.c.-.2.b.6.3.f.e.6.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.6.9.c.0.3.1.1.f.0.b.1.2.1.e.b.3.7.8.e.9.0.a.1.d.d.8.8.9.2.5.c.4.2.4.c.1.a.0.7.b.!.

Process:	C:\Windows\System32\dxdiag.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85405
Entropy (8bit):	5.206409311600344
Encrypted:	false
SSDEEP:	768:/P9JWMB5MBB+Q6Uc8FgGVoXX7lV6EMR57X3i0hG6gHCXkNEr+aL/FkJOlKwY0:/7cKOV2uRoxHtOu0
MD5:	3B8B45C78C4035678BEB4398B93802B0
SHA1:	1BF171527F74E2BEB9A6EAD91ED7D999A19B9AEF
SHA-256:	B99265EEB37BA2ED17ED9740E331CFCDEEFD8BF8C807FA845A8242A9B85D5575
SHA-512:	546059755FADC56DF2BDC57E2C4D3AD1B7585DE0C36DA5AE2E26635285547F792B35F6386023ADAC7572EC502E0025CEB19A50EA6D9EF66E4CE9C652E84D36E8
Malicious:	false
Reputation:	unknown
Preview:	------------------..System Information..------------------.. Time of this report: 1/7/2025, 07:19:28.. Machine name: 724471.. Machine Id: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}.. Operating System: Windows 10 Pro 64-bit (10.0, Build 19045) (19041.vb_release.191206-1406).. Language: English (Regional Setting: English).. System Manufacturer: h96ocwcKYwRt824.. System Model: vRs XCOe.. BIOS: VMW201.00V.20829224.B64.2211211842 (type: UEFI).. Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 CPUs), ~2.0GHz.. Memory: 8192MB RAM.. Available OS Memory: 8192MB RAM.. Page File: 1843MB used, 6347MB available.. Windows Dir: C:\Windows.. DirectX Version: DirectX 12.. DX Setup Parameters: Not found.. User DPI Setting: 96 DPI (100 percent).. System DPI Setting: 96 DPI (100 percent).. DWM DPI Scaling: Disable

Process:	C:\Users\user\AppData\Local\Temp\1033697001\caf9f1bef3.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	41554
Entropy (8bit):	6.09205220911995
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kuzUXqgfbQlXUqNNJ8vQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7yn7TDqfyW0e6kaoZ
MD5:	34339FFA3C6FFD919E055A937E79F96F
SHA1:	DB2D66774997BE1D9B39B277C3A12E9CDF0BD82B
SHA-256:	957B5F634A3B6F312F29D54ABF54BD6FA30B896CE7DDC1E91A2A5C3D90A6BB50
SHA-512:	8F0FE09D8D253BF663863EDC77A1ACD9BE27C037FA520846397BD75CBCB2370AC56DB92D4AE9A3918431112D2252D15790563AB7E71FC876CA88501CC183F074
Malicious:	false
Reputation:	unknown
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Users\user\AppData\Local\Temp\1033698001\b3206cdf20.exe
File Type:	data
Category:	dropped
Size (bytes):	97296
Entropy (8bit):	7.9982317718947025
Encrypted:	true
SSDEEP:	1536:A1FazaNKjs9ezO6kGnCRFVjltPjM9Ew1MhiIeJfZCQdOlnq32YTCUZiyAS3tUX9F:k4zaMjVUGCRzbgqw1MoIeJyQ4nyqX9F
MD5:	E6743949BBF24B39B25399CD7C5D3A2E
SHA1:	DBE84C91A9B0ACCD2C1C16D49B48FAEAEC830239
SHA-256:	A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
SHA-512:	3D50396CDF33F5C6522D4C485D96425C0DDB341DB9BD66C43EAE6D8617B26A4D9B4B9A5AEE0457A4F1EC6FAC3CB8208C562A479DCAE024A50143CBFA4E1F15F6
Malicious:	false
Reputation:	unknown
Preview:	XM .4Ih..]...t.&.s...v.0{.v.vs'...:.l.h...e.....R....1...r.R+Fk....~.s.....Q.....r.T.b.....~c..[........;...j.@.0.%.....x...v.w.....<ru....Yre;.b6...HQ-...8.B..Q.a...R.:.h&r.......=.;r.k..T.@....l..;#..3!.O..x.}........y'<.GfQ.K.#.L5v..].......d....N{e..@................A\..<.t.u.X.O.n..Z.. .Xb.O<.Z...h~.(.W.f.z.V.4..L...%5.0...H..`s...y.B......(IL5s:aS}X.......M9.J.o....).'..M;n6]...W..n....)...L...._..e.....>....[....RA.........'...6.N..g6....IY.%h.. 3r....^..\.b~y./....h.2......ZLk....u}..V..<.fbD.<!.._2.zo..IE...P..O...u......P.......w#.6N..&l.R}GI...LY...N.yz..j..Hy.'..._.5..Pd9.y..+....6.q...).G.c...L#....5\.M....5U])....U(..~H.m....Y....G1.r.4.B..h........P..]i...M%.............)q......]....~\|..j...b..K!..N.7R.}T.2bsq..1...L^..!.\|q.D'...s.Ln...D@..bn%0=b.Q1.....+l...QXO\|.......NC.d......{.0....8F.....<.W.y..{o..j.3.....n..4.....eS]. K...o.B.H~.sh.1....m8....6{.ls..R..q..~....w._;....X*.#..U....6n.ODbT.+Zc....q....S.$-S`YT....

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3104256
Entropy (8bit):	6.625022195702856
Encrypted:	false
SSDEEP:	49152:fWBcAgnnqVX9myu4fWiQbBpZp1xnZ5h6KOXebx6MnF1g:fWCnnqVX9myNOiQb/96RObxlnFe
MD5:	612B785A52C7C281DD891D4835E0E4CE
SHA1:	689A488E8E86D7F820732871FB795D193100C8EC
SHA-256:	DB2E536B6E14A6E936ACBEEC7478624756F82C5A4EAEC9353B4EE7628153970F
SHA-512:	384E22D7D20FB61D1F19672C1A6982532BA54EEFE6A07E97E4CBFAA89E24D2C2FAB7659F000916988159F1F661724205FFC0FC44749B9EFA7ED375B93645698F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....vg.................H...........p/...........@.........................../.....T\0...@.................................Y...m....p.............................................................................................................. . .`.......`..................@....rsrc........p.......p..............@....idata .............t..............@...ikmnjisi..).......)..v..............@...nmpoliea.....`/......8/.............@....taggant.0...p/.."...</.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1864192
Entropy (8bit):	7.945598151255693
Encrypted:	false
SSDEEP:	49152:q5eCT3PGWaVABisbebqgoy6zNZ/N5SU9a:q5eCyVKisbrzy6zNMAa
MD5:	8E7317BD5F12DA95C46CA94572B2C331
SHA1:	F4D5D81D5455D2EF430530CA46266CB263C0A4C3
SHA-256:	AF3387F8CF8C8581429C089B8B0CF1C5DADB32F2034EC21DD5A5149EAF8BF4E5
SHA-512:	4A3D839A55AC2CA1AAA56EE4A7F5762BAEE5CDA44F9CBECD93B79188A9BAD1EFF7D3F48ECE83071CF3FA1BA3BC26B1D9E6B7F9DA3317BE4E5291B50617A51281
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L..."&{g.....................*.......pk...........@...........................k...........@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@... ..+...$......\|..............@...scpusmou......P......~..............@...wkvcxnam.....`k......L..............@....taggant.0...pk.."...P..............@...................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3266048
Entropy (8bit):	6.660535254211377
Encrypted:	false
SSDEEP:	49152:f8b8hJPihGwpbG0jjgdqtjGPzXbRIo9HleY4srXld:f08hBihGwpbG0jjgdqtqr4O
MD5:	F54491FDB13ECAB8B06510F1C8431032
SHA1:	2E42F6E1A1A559A6EA6DBB974F68D3F598E568FC
SHA-256:	40ADBA8FC61052A26BAEB280F4645287CE1390E81BA42FF57B746F71B1C9F623
SHA-512:	974BEE8B43F27CFD9D3539C9B2A9BAB886B0A91141DDEF9362846B7424773C5D4BE5BB88D1CA3905D7DA06C2315A69494D064926896212237AE0057A72938E0B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................2.....'.1...@.................................W...k.............................1...............................1..................................................... . ............................@....rsrc...............................@....idata ............................@...sihywpwu. +.......+.................@...snftdmjr......1.......1.............@....taggant.0....1.."....1.............@...........................................................................................................................................................................................................................................................

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1808), with CRLF line terminators
Category:	dropped
Size (bytes):	10780
Entropy (8bit):	5.490003400075434
Encrypted:	false
SSDEEP:	192:HnBRNC3YbBp6lR1+PaX56/x8lCz9/3/OHNBw8MXSl:Oee1M/xbUPw70
MD5:	573E3493A89E569800F845C62085E9AD
SHA1:	A5F018A1F094B5DBD42B31CE60F7E7170CFF29D8
SHA-256:	9D4B7FFDA8ED67F8205701A36EC908BA7B099C058A75E5073F761362D9B729B8
SHA-512:	3207F9F8964B77883803D6A3622A53D08D8C8BA94186B3751492378E220A2ED37A557B0E084F06F27F435F814FF2F2F09D2A55B169A2725E3BA8576379DFAB3E
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "ecedec8f-7097-47fc-a9e3-d74f0c8e2503");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696499493);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696499494);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

Entrypoint:	0x71e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31c310	0x10	sihywpwu
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31c2c0	0x18	sihywpwu
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x68000	d632dc3394074b2800cf35a414b0dc45	False	0.5572744516225961	data	7.019860685017432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x5d4	0x400	0007bf14ad5c1c4874fe7edac3bd60c6	False	0.70703125	data	5.882066484983677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
sihywpwu	0x6b000	0x2b2000	0x2b1a00	efbb02a4cc85e1231f9f16a25e5d135f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
snftdmjr	0x31d000	0x1000	0x400	fb2302b3310f3c846053178cd8619ff2	False	0.7900390625	data	6.1388308777489025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x31e000	0x3000	0x2200	511c72d4557fe3c7193f46a37d0e9c96	False	0.06089154411764706	DOS executable (COM)	0.7503800222433393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x31c320	0x3e4	XML 1.0 document, ASCII text			0.48092369477911645
RT_MANIFEST	0x31c704	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Target ID:	1
Start time:	07:18:19
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x5d0000
File size:	3'266'048 bytes
MD5 hash:	F54491FDB13ECAB8B06510F1C8431032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1442088031.00000000005D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	07:18:23
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0x650000
File size:	3'266'048 bytes
MD5 hash:	F54491FDB13ECAB8B06510F1C8431032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1479494441.0000000000651000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	07:19:00
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x650000
File size:	3'266'048 bytes
MD5 hash:	F54491FDB13ECAB8B06510F1C8431032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	07:19:19
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"
Imagebase:	0x7ff6eb830000
File size:	13'955'025 bytes
MD5 hash:	CB538563778A18D571E87AD75705668E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 48%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	07:19:22
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1033606001\c061393b55.exe"
Imagebase:	0x7ff6eb830000
File size:	13'955'025 bytes
MD5 hash:	CB538563778A18D571E87AD75705668E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AFIEGIECGCBKFIEBGCAAFIEBFC

C:\ProgramData\GCAEHDBAAECBFHJKFCFB

C:\ProgramData\GCGHIIDH

C:\ProgramData\HJKJKKKJJJKJKFHJJJJECBFCGH

C:\ProgramData\IEBFIEBA

Windows Analysis Report
file.exe

Target ID:	11
Start time:	07:19:23
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"
Imagebase:	0x5f0000
File size:	349'696 bytes
MD5 hash:	6446A00EB59754E15749AF229B0D5217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	07:19:25
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1033691001\db0740f8e4.exe"
Imagebase:	0xd40000
File size:	349'696 bytes
MD5 hash:	6446A00EB59754E15749AF229B0D5217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	17
Start time:	07:19:27
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt"
Imagebase:	0x7ff725d10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	19
Start time:	07:19:28
Start date:	07/01/2025
Path:	C:\Windows\System32\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt
Imagebase:	0x7ff6f0fc0000
File size:	272'384 bytes
MD5 hash:	19AB5AD061BF013EBD012D0682DF37E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	21
Start time:	07:19:29
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1033693001\e0ac53ba53.exe"
Imagebase:	0x820000
File size:	1'883'136 bytes
MD5 hash:	37E85A34D4EC7C387A79E20CE262F2CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2211666253.0000000001253000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	22
Start time:	07:19:35
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1033694001\cf4bd6029c.exe"
Imagebase:	0xa40000
File size:	3'104'256 bytes
MD5 hash:	612B785A52C7C281DD891D4835E0E4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2299818266.0000000001418000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2299582589.0000000001464000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2312742082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	23
Start time:	07:19:38
Start date:	07/01/2025
Path:	C:\Windows\System32\drivers\mstee.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff7dfef0000
File size:	12'288 bytes
MD5 hash:	244C73253E165582DDC43AF4467D23DF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	25
Start time:	07:19:41
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1033695001\05c06146f2.exe"
Imagebase:	0x4e0000
File size:	1'864'192 bytes
MD5 hash:	8E7317BD5F12DA95C46CA94572B2C331
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000019.00000003.2243727892.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	26
Start time:	07:19:46
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1033696001\959ae18948.exe"
Imagebase:	0x6e0000
File size:	969'728 bytes
MD5 hash:	A5F4B776FBC130947C7EA91252E30747
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	07:19:49
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x840000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true